Nolan LawsonApr 27, 2017

Mastodon newbie protip: don't click the "remote follow" button. Just copy the user's URL and paste it into the search bar of your home instance, then click the follow button (the little icon of a person with a "+" on it).

Not only is "remote follow" slower and more awkward; it's a potential security risk, because a malicious instance could trick you into giving them your password (if you're not paying attention to the URL bar).

Show threadNolan Lawson
I don't see any issues on the Mastodon repo mentioning that "remote follow" is a phishing opportunity, and that we're training users to do something that could get exploited one day. I'd file an issue, but there are so many infosec people on here, maybe someone else could articulate it better than me? Or maybe I'm overestimating the risk? /cc @munin @bcrypt
Apr 27, 2017 at 6:29pmWeb
Show threadMunin, Keeper of LoreApr 27, 2017

@nolan @bcrypt

No, you're right; it's a pretty nasty UI element that's just asking for trouble.

Show threadParker HigginsApr 27, 2017
@munin @nolan @bcrypt what'd be neat, I think, is if your browser could pull out the account link and give you a one-click URL bar follow button, like RSS used to have. Just one man's opinion.
Show threadRysiekúr (old account)Apr 27, 2017
@nolan @munin @bcrypt what would be the modus operandi, exactly? how could some phish and what could they gain?
Show threadMunin, Keeper of LoreApr 27, 2017

@rysiek @nolan @bcrypt

Rig the 'remote follow' button to direct to a page I control with the credentials dialogue; on the backend, collect credentials and relay 'em to the 'correct' location to complete the follow.

Show threadNolan LawsonApr 27, 2017
@munin @rysiek @bcrypt Yes also if you're an admin and you don't have 2FA set up then getting your password is especially valuable.
Show thread! Paolo Vecchi - UNFOLLOW!Apr 27, 2017

@nolan
True that if an admin enters his/her username and password in a page without checking where he/she is then he/she should be banned for being an admin of anything ;-)

Anyway it seems like if I'm already logged in my instance the remote site only asks for the username which is OK.

@munin @rysiek @bcrypt

Show threadMunin, Keeper of LoreApr 27, 2017

@paolov @nolan @rysiek @bcrypt

"You should know better" is not a valid argument.

If you are logged in, then yes - but the option is available -to- log in if you're not, which opens this UI hole to exploitation.

Show thread! Paolo Vecchi - UNFOLLOW!Apr 27, 2017

@munin
Yes I do agree, I was just being a bit cheeky.

It is a UI (and UX) issue which is difficult to fix as there are many ways to trick a user.

I'm for the radical solution of requiring the user to log-in from his/her home instance before "remote following" or similar.

@nolan @rysiek @bcrypt

Show threadRysiekúr (old account)Apr 27, 2017
@munin @nolan @bcrypt ah, of course. Dang, should have thought about that. That's a very valid point!
Show threadMunin, Keeper of LoreApr 27, 2017

@rysiek @nolan @bcrypt

Now, the -legitimate- one will redirect you back to your home instance...

...but every instance has the same livery by default; there's really no obvious 'tells' other'n if you're paranoid enough to watch the URL bar, and most people aren't.

Show threadMunin, Keeper of LoreApr 27, 2017

@bcrypt @nolan @rysiek

A potential mitigation would be to load foreign threads in an iframe in your own instance, with the 'follow remote user' button clearly from your home instance.

But that'd be kinda hinky :-/

Show threadRysiekúr (old account)Apr 27, 2017
@munin @nolan @bcrypt one simple-ish solution would be to *require* users to set a "security picture", some bank websites use that.
Show threadmoving to [email protected]Apr 27, 2017
@rysiek @munin @nolan @bcrypt another implication of entering your webfinger id on a remote !Ostatus instance is: that remote instance learns your current IP address AND your webfinger id together.

Even if you may have a dynamic IP this can be used for #geolocating your position or to scan your IP for open ports. Maybe not what privacy-minded people expect.

Now that there are #company-owned large Mastodon instances this could become an issue.