Cyber Security

Mastodon users vulnerable to password-stealing attacks

Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.

Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.

“Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research*, wrote in a blog post released today.

Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.

After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:.

He placed the :verified: string inside an anchor text node that was inside the title attribute by doing the following:

Input: :verified:>

Click to comment

You May Also Like

Cyber Security

Actors linked to adversarial nations — namely China and Russia — worked across platforms to push inaccurate content, according to a report released Tuesday....

Business News

LONDON (AP) — Starting Friday, Europeans will see their online life change. People in the 27-nation European Union can alter some of what shows up when...

Business News

SAN FRANCISCO (AP) — Elon Musk may want to send “tweet” back to the birds, but the ubiquitous term for posting on the site he...

Business News

LONDON (AP) — Elon Musk has unveiled a new black and white “X” logo to replace Twitter’s famous blue bird as he follows through...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version