Jerry 🦙💝🦙Nov 15, 2022

updated to indicate only glitch-soc is affected. There are other security updates in mastodon 4.0.x so not wasted effort to update if not running glitch-soc

This message for everyone on the fediverse:

First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done.

Ok, thank you.

Now, if you are the admin of a mastodon instance running glitch-soc, please go upgrade to 4.0.2 ASAP.

Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
Show threadCarlos MeleroNov 15, 2022
@jerry seems MFA is mitigating the issue of having a password manager autofilling credentials. *Disable autofill*
Show threadCharles GilloglyNov 15, 2022
@carlosmelero @jerry Thankfully that is always my default setup. It's always a little less convenient, but I've never trusted autofill because of stuff like this.
Show threadAdrian SanabriaNov 15, 2022
@charlesgillogly @carlosmelero @jerry this is only if you use browser autofill though, right? I've never seen 1Password, for example, fill fields without user interaction (or maybe it's a configurable thing that I never enable?)
Show threadJeffrey GoldbergNov 15, 2022

@carlosmelero @jerry @charlesgillogly @sawaba

This is deliberate design. 1Password has always required user action to fill. Here is something I wrote on the 1Password blog about this five years ago, though even then it had been a long standing security decision.

https://blog.1password.com/1password-keeps-you-safe-by-keeping-you-in-the-loop/

1Password keeps you safe by keeping you in the loop | 1Password

1Password’s browser extension has been designed from the outset to keep you safe from recently discovered browser-based attacks on some password managers. Read more.

1Password Blog
Show threadCharles Gillogly
@jpgoldberg @carlosmelero @jerry @sawaba Some password managers have the option, just like the browser, to autofill on page load. It's definitely a bad idea, but I understand why they offer it. It should always be opt-in at least. I honestly can't remember if it's enabled or disabled by default in the ones I've worked with because my first step in any install is to go through all the settings and get them how I want them.
Nov 15, 2022 at 4:38pmWeb
Show threadJeffrey GoldbergNov 15, 2022

@carlosmelero @jerry @charlesgillogly @sawaba Up until five years ago, it was the default behavior in most. After these sorts of attacks hit the news, many switched to making it opt in. The attack, however, was not new. 1Password has never offered automatic auto fill even as an option.

A successful phishing page should need to trick both the password manager and the human.

Show threadCarlos MeleroNov 15, 2022

@jpgoldberg @jerry @charlesgillogly @sawaba Bitwarden's default behavior is to require user interaction too.

Autofill has been a attack vector in the past not only with XSS but with URL parsing issues also:
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

Maybe outdated but interesting:
https://marektoth.com/blog/password-managers-autofill/#analysis

How I made LastPass give me all your passwords - Detectify Labs

Stealing all your passwords by visiting a webpage. Sounds too bad to be true? I thought so too until I hacked the LastPass browser extension.

Detectify Labs
Show threadJeffrey GoldbergNov 15, 2022

@carlosmelero @jerry @charlesgillogly @sawaba

I remember that. Bad URL parsing is another route to tricking a password manager. I hope by now that nobody is using an ad-hoc regex for parsing URLs.