LanaLakkeNov 15, 2022
Jerry πŸ¦™πŸ’πŸ¦™

updated to indicate only glitch-soc is affected. There are other security updates in mastodon 4.0.x so not wasted effort to update if not running glitch-soc

This message for everyone on the fediverse:

First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done.

…

…

Ok, thank you.

Now, if you are the admin of a mastodon instance running glitch-soc, please go upgrade to 4.0.2 ASAP.

Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
Nov 15, 2022 at 2:17pmWeb
Show threadmaya   now at catgirl.globalNov 15, 2022

@jerry @david we up to date on tech.lgbt yet?

Seems there was the ability for credential stealing.

Show threada fresh pup of coffee Nov 15, 2022
@AtomicMaya @jerry Thank you for sharing. I scheduled the update for tomorrow, but based on this info I'm going to run the upgrade now after a backup
Show threadmaya   now at catgirl.globalNov 15, 2022
@david my pleasure and good luck!
Show threadAaron de MontmorencyNov 15, 2022
@jerry beat me to it. I mean, if someone in the infosec community didn't immediately set up MFA, that's a paddlin'.
Show threadhuman. Nov 15, 2022
@jerry
@nicdex just in time!
Show threadstill aetios anywayNov 15, 2022
@jerry No 2FA on akkoma I believe, which is too bad. Interesting vulnerability though. Good thing I've long stopped using chrome autofill for my passwords. I believe more of these vulnerabilities will be found in the future. They are part of the growing pains of a hobby-size platform growing up.
Show thread the strongest bocchi (evil)Nov 15, 2022
@aetios @jerry we do have 2fa, for the record
it's in the settings
Show threadgo follow @[email protected]Nov 15, 2022
@[email protected] @[email protected] @jerry pleroma has it for like 2 years now i think?
Show threadstill aetios anywayNov 15, 2022
@FloatingGhost @jerry oh whoops, im just dumb then
Show threadSimon Nov 15, 2022
@jerry I give up, I can't find the settings for it :-(
Show threadJerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022
@staustellsimon you have to do it through the web interface- most mobile apps don’t expose that setting
Show threadSimon Nov 15, 2022
@jerry yeah, I am, gone to account, nothing about 2fa that I can see
Show threadSimon ZerafaNov 15, 2022

@jerry @staustellsimon

Probably best to set 2FA/SA up via web on a PC. You'll need your phone free for the setup anyway πŸ˜‰πŸ€·β€β™‚οΈ

Show threadSimon Nov 15, 2022
@simonzerafa tru dat
Show threadednl πŸ‡ͺπŸ‡ΊNov 16, 2022
@simonzerafa @jerry @staustellsimon Not necessarily! I enabled Mastodon 2FA on my Mac Mini without camera or phone. Apple's integrated 2FA code generator is pretty awesome, I could even use a screenshot of the QR code to validate.
Show threadSimon ZerafaNov 16, 2022

@ednl @jerry @staustellsimon

I suspected that Mac's would be useful for something! πŸ˜‰

Show threadShochinNov 15, 2022

@staustellsimon

If you go into settings account and (then the weird part, for me) when I click on account, it's not there, but then open up the side menu again it's now there under account.. easier to find on PC but it is there in the mobile interface, doesnt show up until after you click on account.. instead of using the QR code you'll have to use the setup key feature.

Dunno if this helped? it took me a minute to figure it out

Show threadDennis Faucher  Nov 15, 2022
@Shochin @staustellsimon It's like magic. Thanks for the post.
Show threadDROP\ TABLE Hacker of EarthseaNov 15, 2022
@jerry i knew the img had something bad with it xD
Show threadπŸ”CatSalad🐈πŸ₯—γ€°οΈβ β„ΉοΈκŠβ„‚Nov 15, 2022
@jerry
I always setup 2FA on every site/account I can by default, but yikes. Signal boosting this #vulnerabilty for awareness
Show threadBenny PowersNov 15, 2022
@jerry thanks
Show threadCarlos MeleroNov 15, 2022
@jerry seems MFA is mitigating the issue of having a password manager autofilling credentials. *Disable autofill*
Show threadCharles GilloglyNov 15, 2022
@carlosmelero @jerry Thankfully that is always my default setup. It's always a little less convenient, but I've never trusted autofill because of stuff like this.
Show threadAdrian SanabriaNov 15, 2022
@charlesgillogly @carlosmelero @jerry this is only if you use browser autofill though, right? I've never seen 1Password, for example, fill fields without user interaction (or maybe it's a configurable thing that I never enable?)
Show threadJeffrey GoldbergNov 15, 2022

@carlosmelero @jerry @charlesgillogly @sawaba

This is deliberate design. 1Password has always required user action to fill. Here is something I wrote on the 1Password blog about this five years ago, though even then it had been a long standing security decision.

https://blog.1password.com/1password-keeps-you-safe-by-keeping-you-in-the-loop/

1Password keeps you safe by keeping you in the loop | 1Password

1Password’s browser extension has been designed from the outset to keep you safe from recently discovered browser-based attacks on some password managers. Read more.

1Password Blog
Show threadCharles GilloglyNov 15, 2022
@jpgoldberg @carlosmelero @jerry @sawaba Some password managers have the option, just like the browser, to autofill on page load. It's definitely a bad idea, but I understand why they offer it. It should always be opt-in at least. I honestly can't remember if it's enabled or disabled by default in the ones I've worked with because my first step in any install is to go through all the settings and get them how I want them.
Show threadJeffrey GoldbergNov 15, 2022

@carlosmelero @jerry @charlesgillogly @sawaba Up until five years ago, it was the default behavior in most. After these sorts of attacks hit the news, many switched to making it opt in. The attack, however, was not new. 1Password has never offered automatic auto fill even as an option.

A successful phishing page should need to trick both the password manager and the human.

Show threadCarlos MeleroNov 15, 2022

@jpgoldberg @jerry @charlesgillogly @sawaba Bitwarden's default behavior is to require user interaction too.

Autofill has been a attack vector in the past not only with XSS but with URL parsing issues also:
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

Maybe outdated but interesting:
https://marektoth.com/blog/password-managers-autofill/#analysis

How I made LastPass give me all your passwords - Detectify Labs

Stealing all your passwords by visiting a webpage. Sounds too bad to be true? I thought so too until I hacked the LastPass browser extension.

Detectify Labs
Show threadJeffrey GoldbergNov 15, 2022

@carlosmelero @jerry @charlesgillogly @sawaba

I remember that. Bad URL parsing is another route to tricking a password manager. I hope by now that nobody is using an ad-hoc regex for parsing URLs.

Show threadSekhmetMedusa🧿Nov 15, 2022
Cc @tithonium
Show threadAndyNov 15, 2022
@jerry is 4.x out of rc then?
Show threadpopeyNov 15, 2022
@andysomniac @jerry yes
Show threadAndyNov 15, 2022
@jerry @popey thanks, will bump later, last time I checked it was still in rc
Show threadpopeyNov 15, 2022
@andysomniac @jerry I went to 4.0.0 then 4.0.2. Both were painless upgrades
Show thread@[email protected]Nov 15, 2022
@jerry I don't see the option in #Tusky, I will go to the browser but it would be a good idea to get the apps to enforce it too.
Show threadGyooNov 15, 2022
@jerry @TheKinrar
Show threadlp0 on fire Nov 15, 2022
Enabling #2FA was one of the things which I did soon after creating my account (while looking to see what configuration options were present). Just as well that I did.
Show threadsaphNov 15, 2022
@jerry @s0 not sure if you've seen this
Show threadJuju&Baba&Yoyo🌈Nov 15, 2022
@jerry
and how does one go about this says the newbie.
Show threadRyanNov 15, 2022
@jerry Enabled here. It amazes me that 2FA isn't an option for every website where you need a login. So many don't!
Show threadAlchemilla MollisNov 15, 2022
@jerry for some reason my antivirus blocks the 2FA page when I try to access it on my computer.. very odd!
Show threadJerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022
@alchemilla_mollis that is odd indeed. What AV do you have?
Show threadAlchemilla MollisNov 15, 2022
@jerry F-Secure. They just say it has been listed "as harmful".
Show threadTram ζ—₯本   πŸˆNov 15, 2022
@jerry @mike FYI!
https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp
Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
Show threadMike StoneNov 15, 2022

@tramtrist Yep, we're aware. It's on our schedule for today.

@jerry

Show threadYarrowNov 15, 2022
@jerry I tried on my iOS. It opens a link and gives me search box. Do I enter my masto @ account there?
Show threadJerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022
@elkmama3 it’s easiest if you use the web interface.
Show threadYarrowNov 15, 2022
@jerry yes that where I started and it gave me QR code to scan w/ phone.
Show threadRedGalahad Nov 15, 2022

@jerry Is there any way to require MFA on an instance?

i'm surprised anyone on the Infosec Instance doesn't have it though

Show threadCassidy James BlaedeNov 15, 2022
@jerry that was a fun read. 😁
Show threadFayeSNov 15, 2022

@jerry

Done βœ… Thanks for the heads up !

Show threadMarkGNov 15, 2022

@jerry

I tried to enable this, but was unable to do so. I went to preferences/account/
Two-factor Auth/, then pressed "Set Up", and was given a QR-Code to scan, and also was given the option of manually entering the "plain-text secret". I chose the latter, but it did not work.

Show threadSvetlana   Nov 15, 2022
@jerry and 2FA with your phone is pretty much worthless too
Show threadMiss DNov 15, 2022
@jerry the headline was enough - done and boosted - thank you
Show threadJoshua McNeillNov 15, 2022
@jerry Also, just in general: Use a #passwordmanager. This has honestly changed my peace of mind quite a bit and reduced password headaches hugely. I only need to remember 1 password, all my passwords are unique, huge sequences of all sorts of characters, and if there ever is a breach, I know I can just update my password on the breached site and be done with it.
Show threadS FraserNov 15, 2022
@joshisanonymous @jerry Yes πŸ‘ completely agree - I would be completely lost without my password manager. I also use a password generator to create a password with a large number of characters and tick all the options for caps/lowercase, numbers and symbols, etc.
Show threadIlsa 🍁 βœ…Nov 15, 2022

@joshisanonymous @jerry A password manager is critical.

Additionally, use a dedicated service rather than what is provided by your browser. Such as 1Password, Bitwarden, or LastPass.

That way you are not forced to stick with a certain browser you don't like anymore (coughChromecough) because all your passwords are trapped there.

Show threadJoshua McNeillNov 15, 2022
@ilsa @jerry For sure! I've used #LastPass for several years now and am very happy with it. Works on all my computers, my phone, etc.