The protocol states that when fetching /.well-known/nodeinfo clients should follow redirects, but doesn't provide any restrictions on the domain/origin redirected to.
Similarly, the JRD document at /.well-known/nodeinfo can link to a NodeInfo document at any location, with no restrictions on domain/origin.
This allows servers to trivially reference NodeInfo documents for entirely different servers, providing erroneous metadata.
I've found 4 cases in the last 2 months where people have tried to set up aliases from their own domain to Mastodon accounts on other servers, and accidentally ended up referencing mastodon.social's NodeInfo from their domain. As the NodeInfo protocol stands, that "gave" those domains all the metadata of mastodon.social, e.g. user count.
The obvious way to solve this would be to restrict redirects and links to the same origin, or domain, or site (depending on how strict you wanted/needed to be).
The protocol states that when fetching
/.well-known/nodeinfoclients should follow redirects, but doesn't provide any restrictions on the domain/origin redirected to.Similarly, the JRD document at
/.well-known/nodeinfocan link to a NodeInfo document at any location, with no restrictions on domain/origin.This allows servers to trivially reference NodeInfo documents for entirely different servers, providing erroneous metadata.
I've found 4 cases in the last 2 months where people have tried to set up aliases from their own domain to Mastodon accounts on other servers, and accidentally ended up referencing mastodon.social's NodeInfo from their domain. As the NodeInfo protocol stands, that "gave" those domains all the metadata of mastodon.social, e.g. user count.
The obvious way to solve this would be to restrict redirects and links to the same origin, or domain, or site (depending on how strict you wanted/needed to be).