Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.
Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.
“Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research*, wrote in a blog post released today.
Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.
After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:.
He placed the :verified: string inside an anchor text node that was inside the title attribute by doing the following:
Input: :verified:>
