Hummingbird in Hebrew, just as beautiful and fun to experience!

#hummingbird #hebrew #birdfeeder #birdwatching #languagelearning #outsidemywindow #jewish

Good morning. Gray skies with chance of sunshine seem to be the weather forecast made by yours truly today. By the way, I forecast the weather by looking outside the window.

Due to some off hand remarks, that somebody was encouraging bad behavior, I spend time thinking about how to exploit Mastodon's authentication system for web applications. First let me summarize my understanding of it. To make a request against the Mastodon API, you need an access token, with it basically any website can access it, due their permitting cors configuration.

Mastodon injects this access token through the wrapping HTML. Pinafore stores it in the localstorage. What both of these approaches have in common: They are vulnerable to script injection. So if I manage to execute a script (for example through a nefarious post) in the website's browser context, I can gain access to your account, and post cow pictures, delete all your posts, and unfollow your followers.

Any new web application you grant access to make direct queries in the browser is thus a vector for script injection attacks. I have no idea what projects are doing to protect from them. I also don't have any need to find out as I only use Mastodon for testing, so nothing on there matters to me personally.

Finally, there are ways to mitigate the risk from this type of script injection. An example is using http-only/secure cookies. This makes the login data live outside of the context the JavaScript is run in.