the may 2026 fedi software vulnerability

Summary

2026-05 alternate title: the most annoying person you’ve ever known has just gotten a reason to become even more annoying (via mia) a little before this post ought to go up, mastodon, iceshrimp.net, misskey (and it’s many forks), wafrn, and any other fedi software implementing ld-signatures should’ve released a security update. apply it. after mastodon reached out to us to let us know we may be vulnerable, i was part of the response to this vulnerability on the iceshrimp.net side. this jumble of words and sentences is intended to be my own personal thoughts about all this, as given my loud opinions around the code that got exploited, i think a “told you so” would be appropriate. what went wrong ld-signatures. a rarely implemented and effectively deprecated part of the de-facto protocol that mastodon loudly warns other implementors to not bother with, and which already has a replacement that wouldn’t have broken in this way if implementations had already switched to itand to be fair, we do not have it either, as it demands upgrading from rsa to ed25519, which in the direction w3c wants to take the protocol, demands replacing the mostly ok http signature draft a mediocre dev like me could implement in a weekend, and could reasonably be updated to fix the quirks in a compatible way, with an rfc way overbuilt with, as far as i can see, miniscule benefits over some vague “spec adherence”. additionally, due to iceshrimp.net’s odd requirement of supporting misskey database migrations (although, since then we have added migrations that make moving back to a misskey-based software difficult), a lot of our current tech choices are pretty much just “misskey done in c#”, so we do not really support multiple keys on an actor just yet. you do not need to be claude mythos in order to think this may be a good place to look for vulnerabilities in. the eLLephaMt in the room but just because it’s obvious in hindsight does not mean many people will actually look there. this specific vu...