Jerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022

updated to indicate only glitch-soc is affected. There are other security updates in mastodon 4.0.x so not wasted effort to update if not running glitch-soc

This message for everyone on the fediverse:

First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done.

…

…

Ok, thank you.

Now, if you are the admin of a mastodon instance running glitch-soc, please go upgrade to 4.0.2 ASAP.

Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
Show threadSimon Nov 15, 2022
@jerry I give up, I can't find the settings for it :-(
Show threadJerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022
@staustellsimon you have to do it through the web interface- most mobile apps don’t expose that setting
Show threadSimon ZerafaNov 15, 2022

@jerry @staustellsimon

Probably best to set 2FA/SA up via web on a PC. You'll need your phone free for the setup anyway πŸ˜‰πŸ€·β€β™‚οΈ

Show threadSimon 
@simonzerafa tru dat
Nov 15, 2022 at 3:29pmWeb