Jerry πŸ¦™πŸ’πŸ¦™Nov 15, 2022

updated to indicate only glitch-soc is affected. There are other security updates in mastodon 4.0.x so not wasted effort to update if not running glitch-soc

This message for everyone on the fediverse:

First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done.

…

…

Ok, thank you.

Now, if you are the admin of a mastodon instance running glitch-soc, please go upgrade to 4.0.2 ASAP.

Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
Show threadJoshua McNeillNov 15, 2022
@jerry Also, just in general: Use a #passwordmanager. This has honestly changed my peace of mind quite a bit and reduced password headaches hugely. I only need to remember 1 password, all my passwords are unique, huge sequences of all sorts of characters, and if there ever is a breach, I know I can just update my password on the breached site and be done with it.
Show threadIlsa 🍁 βœ…Nov 15, 2022

@joshisanonymous @jerry A password manager is critical.

Additionally, use a dedicated service rather than what is provided by your browser. Such as 1Password, Bitwarden, or LastPass.

That way you are not forced to stick with a certain browser you don't like anymore (coughChromecough) because all your passwords are trapped there.

Show threadJoshua McNeill
@ilsa @jerry For sure! I've used #LastPass for several years now and am very happy with it. Works on all my computers, my phone, etc.
Nov 15, 2022 at 4:28pmWeb