Tinker ☀️Lol, when a bunch of hackers migrate to new services, they tend to kick the tires a bit 😂.
Here, some hackers found a way to steal Mastodon passwords by manipulating the way Mastodon allows (and sidestepping the way Mastodon protects) HTML imbedded into posts.
It also highlights the ways that third party plugins (here Glitch, found on the Mastodon server infosec(dot)exchange and others) introduce interesting attack vectors that core maintainers don't initially control (thoughts go out to Wordpress).
The hackers then reported the issues to the Mastodon team and the Glitch team so they could issue security patches.
Big shoutout for finding/reporting the vuln:
Kudos to the Mastodon & Glitch teams for coordinating and issuing a timely security patch.
I expect we'll see a lot of more of these initially (this is good, means the website is getting more secure).
Takeaways:
- Users: Consider changing your Mastodon password. Implement Multi-Factor Authentication.
- Admins: Update to the latest Mastodon version. Update any plugins as well.
Full writeup here: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp
All Bobinas P4G content and data are available under the