Frédéric Jacobs

The Mastodon "Remote follow" feature could be so easily used to phish the average Mastodon user into signing into a fake instance.

⚠️ Important security reminder: Always make sure the URL shows your "home instance" when logging in.

Apr 19, 2017 at 10:27amWeb
Show threadBjarniBjarniBjarni 🙊 🇮🇸 🍏Apr 19, 2017
@fj Isn't this an area where customizing the way Mastodon looks based on a per-user cookie (something the fake site can't see) would help?
Show threadmalokiApr 19, 2017

@fj you're never prompted to log in though, well at least not if you're already logged in.

Pro tip to get around it, copy paste URL of profile into the search field to find the person you want to follow.

Show threadwabzApr 19, 2017
@fj this is what password managers excel at. They won't fill in a password on a different instance (or any phishing site) and you can't enter a password because you don't know it.
Show threadDavidApr 19, 2017
@fj Keen thought sir, thanks for the reminder. Even then, don't trust urls — manually type them.
Show threadBálint SzilaksziApr 19, 2017
@fj and turn on 2FA
Show threadSabri Haddouche ✅Apr 19, 2017
@szbalint @fj It won't save you if your 2FA code get phished as well
Show threadNolan LawsonApr 19, 2017
@fj Better yet – don't use the "remote follow" flow. It's faster to paste the URL into the search bar on your home instance anyway.
Show threadMaiyannah BishopApr 19, 2017
@nolan @fj Now that qvitter has this too (pasting the account into the people search), the old remote follow flow remains there mostly as a backup.
Show threadSabri Haddouche ✅Apr 19, 2017
@fj Tell that to people who defends Unicode in URLs