Andrea Menin brings us a great find with a deviously simple WAF bypass. The core bug belongs to ModSecurity and the variables it exposes to be used by the various rulesets others have created.
Normalization gone wrong, Mastodon, when attempting to normalize a domain would intend to remove any trailing `/`from it, however they did this using `.delete("/")` which removes all `/` characters from the string instead of just a trailing `/`. This meant that someone could use an account like `someone@mastodon.so/cial` to spoof the account `someone@mastodon.social`.
A desync between the parameter the authorization check reads, and the value the actual action reads. Leading to an attacker being able to access resources that would have been denied normally.