Nolan LawsonApr 27, 2017

Mastodon newbie protip: don't click the "remote follow" button. Just copy the user's URL and paste it into the search bar of your home instance, then click the follow button (the little icon of a person with a "+" on it).

Not only is "remote follow" slower and more awkward; it's a potential security risk, because a malicious instance could trick you into giving them your password (if you're not paying attention to the URL bar).

Show threadNolan LawsonApr 27, 2017
I don't see any issues on the Mastodon repo mentioning that "remote follow" is a phishing opportunity, and that we're training users to do something that could get exploited one day. I'd file an issue, but there are so many infosec people on here, maybe someone else could articulate it better than me? Or maybe I'm overestimating the risk? /cc @munin @bcrypt
Show threadRysiekúr (old account)Apr 27, 2017
@nolan @munin @bcrypt what would be the modus operandi, exactly? how could some phish and what could they gain?
Show threadMunin, Keeper of LoreApr 27, 2017

@rysiek @nolan @bcrypt

Rig the 'remote follow' button to direct to a page I control with the credentials dialogue; on the backend, collect credentials and relay 'em to the 'correct' location to complete the follow.

Show threadNolan LawsonApr 27, 2017
@munin @rysiek @bcrypt Yes also if you're an admin and you don't have 2FA set up then getting your password is especially valuable.
Show thread! Paolo Vecchi - UNFOLLOW!Apr 27, 2017

@nolan
True that if an admin enters his/her username and password in a page without checking where he/she is then he/she should be banned for being an admin of anything ;-)

Anyway it seems like if I'm already logged in my instance the remote site only asks for the username which is OK.

@munin @rysiek @bcrypt

Show threadMunin, Keeper of Lore

@paolov @nolan @rysiek @bcrypt

"You should know better" is not a valid argument.

If you are logged in, then yes - but the option is available -to- log in if you're not, which opens this UI hole to exploitation.

Apr 27, 2017 at 6:48pmWeb
Show thread! Paolo Vecchi - UNFOLLOW!Apr 27, 2017

@munin
Yes I do agree, I was just being a bit cheeky.

It is a UI (and UX) issue which is difficult to fix as there are many ways to trick a user.

I'm for the radical solution of requiring the user to log-in from his/her home instance before "remote following" or similar.

@nolan @rysiek @bcrypt