barti_slatfassNov 15, 2022
Stephan Dörner
"Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned." https://portswigger.net/daily-swig/mastodon-users-vulnerable-to-password-stealing-attacks
Mastodon users vulnerable to password-stealing attacks

Patched bug could have leaked credentials

The Daily Swig
Nov 15, 2022 at 6:25pmWeb
Show threadStephan DörnerNov 15, 2022

"Stealing passwords from infosec Mastodon - without bypassing CSP"

https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

Stealing passwords from infosec Mastodon - without bypassing CSP

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

PortSwigger Research
Show threadDorkus AureliusNov 15, 2022

@doener what would be the point? W/o any authority/verification you could pretend to be anyone just by setting up an account on another server.

I'm being slightly facetious, of course. But only slightly.

Show threadNiklasNov 15, 2022
@IlyaLehrman @doener it's worse to take over an existing account because you get the complete social graph and DMs and stuff