Mastodon users vulnerable to password-stealing attacks

Bangaly Koita 2 years ago

A security researcher has detected a vulnerability in Glitch, a fork of Mastodon. An attackers could steal the credentials from Mastodon.

Mastodon is free and open-source software for running self-hosted social networking services (check Wikipedia for more details).

The security researcher was able to steal the credentials on Infosec Mastodon with a HTML injection vulnerability, without the need to bypass CSP.

Stealing passwords from infosec Mastodon – without bypassing CSP | PortSwigger Research

The vulnerability was reported to Mastodon. The flaw is specific to the Glitch fork used by InfoSec. Exchange. Mastodon has released the version 4.0.1, 3.5.5, and 3.4.10 to mitigate the issue. The 2FA authentication could prevent someone with the password to not access to your environment.

You may have missed

Telegram phishing

Scammers created thousand of fake websites mimicking Telegram

Bangaly Koita 4 weeks ago
ConnectWise

Malicious ConnectWise Control application downloaded in the wild

Bangaly Koita 1 month ago
Tesla phishing

Tesla website impersonated by threat actors

Bangaly Koita 1 month ago
Google call

Google Meet typosquat by threat actors

Bangaly Koita 2 months ago
OSINT

What is OSINT ?

Bangaly Koita 2 months ago