Mastodawn

Adam Jenkins Nov 15, 2022

To everyone over here in hci.social I highly encourage the use of 2FA

Details - https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

You can find the feature here -
https://hci.social/settings/otp_authentication

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research