Connect with us

Hi, what are you looking for?

Cyber Security

Mastodon users vulnerable to password-stealing attacks

Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.

Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.

“Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research*, wrote in a blog post released today.

Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.

After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:.

He placed the :verified: string inside an anchor text node that was inside the title attribute by doing the following:

Input: <abbr title=”<a href=’https://blah’>:verified:</a>><iframe src=//garethheyes.co.uk/>”>

Output: <abbr title=”<a href=’https://blah’><img draggable=” false” … >><iframe src=//garethheyes.co.uk/>

This allowed Heyes to successfully bypass the HTML filter due to the replacement of the verified placeholder with an image that contained double quotes.

“The filter was completely destroyed as I could just inject arbitrary HTML, but one last thing stood in my way: they used a relatively strict Content Security Policy (CSP),” wrote Heyes.

“Pretty much each resource was limited to infosec.exchange, with the exception of iframes which allowed any HTTPS URL.”

Spoofed

Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials.

Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker’s server.

Heyes tested Chrome to see if it would still autofill the credentials when the inputs were invisible. If an attacker used an opacity value of zero, Chrome would still conveniently fill in the credentials.

Due to the CSP, Heyes couldn’t use inline styles. However, looking at the CSS files, he found a class that had opacity:0 “in a couple of seconds”, which “worked perfectly”.

Advertisement. Scroll to continue reading.

He explained to The Daily Swig: “Add the PoC code into post text area and hit publish – [the] user sees [the] post and clicks on what they think is a Mastodon toolbar. Credentials are [then] sent to an external server.

“In a real attack the credentials will be stored and the user redirected back to the site.”

Mitigations

Any Mastodon instance using the Gitch fork of Mastodon is vulnerable, Heyes explained, adding that since the server is vulnerable, “there’s not much a user can do to protect themselves”.

He added: “However, it would be a good idea to only autofill your password with user interaction to prevent credentials from being stolen.”

Heyes reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/mastodon-users-vulnerable-to-password-stealing-attacks

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Actors linked to adversarial nations — namely China and Russia — worked across platforms to push inaccurate content, according to a report released Tuesday....

Business News

LONDON (AP) — Starting Friday, Europeans will see their online life change. People in the 27-nation European Union can alter some of what shows up when...

Business News

SAN FRANCISCO (AP) — Elon Musk may want to send “tweet” back to the birds, but the ubiquitous term for posting on the site he...

Business News

LONDON (AP) — Elon Musk has unveiled a new black and white “X” logo to replace Twitter’s famous blue bird as he follows through...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO