Kevin RussellJul 6, 2023

WARNING: Phishing Attacks, HTML markup to hide urls, are now in Mastodon.

While Mastodon does not have markup to allow hiding urls, they share API with "friendica" and friendica ALLOW HIDING URLS.

And friendica accounts can post on Mastodon.
I have asked for a solution, none is forthcoming.

Click NO LINKS that come friendica. Be wary of links on Mastodon, as if Mastodon were "email" - without any protections.

Multiple reports of other fediverse branches allow hiding urls. No Clicking links

Show threadotheorange_tag
@kevinrns been a while since I had to deal with webpages, but can't you filter this stuff out at one of the many layers before finally sending out the html? I use my own antibrowser thin client for net/cloud apps so I would never see this particular problem.
Jul 8, 2023 at 7:14pmWeb
Show threadKevin RussellJul 8, 2023

@otheorange_tag

Mozilla, after joining Mastodon, because they love free, freedom and free people controlling their lives, took a moment to seriously test Mastodon, and found five critical threats, including the ability to root a Mastodon server with a post, a toot.

Automatically revealing actual urls, beside links under markup, is a basic layer of protection.

I hope Mozilla has more tests, more suggestions and joins in helping make #Mastodon security focused.

https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/

Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking

Most critical of the bugs allowed attackers to root federated instances.

Ars Technica