Jerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022

updated to indicate only glitch-soc is affected. There are other security updates in mastodon 4.0.x so not wasted effort to update if not running glitch-soc

This message for everyone on the fediverse:

First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done.

…

…

Ok, thank you.

Now, if you are the admin of a mastodon instance running glitch-soc, please go upgrade to 4.0.2 ASAP.

Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
Show threadSimon 
@jerry I give up, I can't find the settings for it :-(
Nov 15, 2022 at 2:35pmWeb
Show threadJerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022
@staustellsimon you have to do it through the web interface- most mobile apps don’t expose that setting
Show threadSimon Nov 15, 2022
@jerry yeah, I am, gone to account, nothing about 2fa that I can see
Show threadSimon ZerafaNov 15, 2022

@jerry @staustellsimon

Probably best to set 2FA/SA up via web on a PC. You'll need your phone free for the setup anyway πŸ˜‰πŸ€·β€β™‚οΈ

Show threadSimon Nov 15, 2022
@simonzerafa tru dat
Show threadednl πŸ‡ͺπŸ‡ΊNov 16, 2022
@simonzerafa @jerry @staustellsimon Not necessarily! I enabled Mastodon 2FA on my Mac Mini without camera or phone. Apple's integrated 2FA code generator is pretty awesome, I could even use a screenshot of the QR code to validate.
Show threadSimon ZerafaNov 16, 2022

@ednl @jerry @staustellsimon

I suspected that Mac's would be useful for something! πŸ˜‰

Show threadShochinNov 15, 2022

@staustellsimon

If you go into settings account and (then the weird part, for me) when I click on account, it's not there, but then open up the side menu again it's now there under account.. easier to find on PC but it is there in the mobile interface, doesnt show up until after you click on account.. instead of using the QR code you'll have to use the setup key feature.

Dunno if this helped? it took me a minute to figure it out

Show threadDennis Faucher  Nov 15, 2022
@Shochin @staustellsimon It's like magic. Thanks for the post.