Nolan LawsonApr 27, 2017

Mastodon newbie protip: don't click the "remote follow" button. Just copy the user's URL and paste it into the search bar of your home instance, then click the follow button (the little icon of a person with a "+" on it).

Not only is "remote follow" slower and more awkward; it's a potential security risk, because a malicious instance could trick you into giving them your password (if you're not paying attention to the URL bar).

Show threadNolan LawsonApr 27, 2017
I don't see any issues on the Mastodon repo mentioning that "remote follow" is a phishing opportunity, and that we're training users to do something that could get exploited one day. I'd file an issue, but there are so many infosec people on here, maybe someone else could articulate it better than me? Or maybe I'm overestimating the risk? /cc @munin @bcrypt
Show threadRysiekúr (old account)Apr 27, 2017
@nolan @munin @bcrypt what would be the modus operandi, exactly? how could some phish and what could they gain?
Show threadMunin, Keeper of LoreApr 27, 2017

@rysiek @nolan @bcrypt

Rig the 'remote follow' button to direct to a page I control with the credentials dialogue; on the backend, collect credentials and relay 'em to the 'correct' location to complete the follow.

Show threadRysiekúr (old account)Apr 27, 2017
@munin @nolan @bcrypt ah, of course. Dang, should have thought about that. That's a very valid point!
Show threadMunin, Keeper of Lore

@rysiek @nolan @bcrypt

Now, the -legitimate- one will redirect you back to your home instance...

...but every instance has the same livery by default; there's really no obvious 'tells' other'n if you're paranoid enough to watch the URL bar, and most people aren't.

Apr 27, 2017 at 6:41pmWeb
Show threadMunin, Keeper of LoreApr 27, 2017

@bcrypt @nolan @rysiek

A potential mitigation would be to load foreign threads in an iframe in your own instance, with the 'follow remote user' button clearly from your home instance.

But that'd be kinda hinky :-/

Show threadRysiekúr (old account)Apr 27, 2017
@munin @nolan @bcrypt one simple-ish solution would be to *require* users to set a "security picture", some bank websites use that.
Show threadmoving to [email protected]Apr 27, 2017
@rysiek @munin @nolan @bcrypt another implication of entering your webfinger id on a remote !Ostatus instance is: that remote instance learns your current IP address AND your webfinger id together.

Even if you may have a dynamic IP this can be used for #geolocating your position or to scan your IP for open ports. Maybe not what privacy-minded people expect.

Now that there are #company-owned large Mastodon instances this could become an issue.