Mastodon users vulnerable to password-stealing attacks

by | Nov 16, 2022 | News

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.

 

Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.

“Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research*, wrote in a blog post released today.

Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.

After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:.

He placed the :verified: string inside an anchor text node that was inside the title attribute by doing the following:

Input: <abbr title=”<a href=’https://blah’>:verified:</a>><iframe src=//garethheyes.co.uk/>”>

Output: <abbr title=”<a href=’https://blah’><img draggable=” false” … >><iframe src=//garethheyes.co.uk/>

This allowed Heyes to successfully bypass the HTML filter due to the replacement of the verified placeholder with an image that contained double quotes.

“The filter was completely destroyed as I could just inject arbitrary HTML, but one last thing stood in my way: they used a relatively strict Content Security Policy (CSP),” wrote Heyes.

“Pretty much each resource was limited to infosec.exchange, with the exception of iframes which allowed any HTTPS URL.”

 

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Spoofed

 

Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials.

Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker’s server.

Heyes tested Chrome to see if it would still autofill the credentials when the inputs were invisible. If an attacker used an opacity value of zero, Chrome would still conveniently fill in the credentials.

Due to the CSP, Heyes couldn’t use inline styles. However, looking at the CSS files, he found a class that had opacity:0 “in a couple of seconds”, which “worked perfectly”.

He explained to The Daily Swig: “Add the PoC code into post text area and hit publish – [the] user sees [the] post and clicks on what they think is a Mastodon toolbar. Credentials are [then] sent to an external server.

“In a real attack the credentials will be stored and the user redirected back to the site.”

Mitigations

 

Any Mastodon instance using the Gitch fork of Mastodon is vulnerable, Heyes explained, adding that since the server is vulnerable, “there’s not much a user can do to protect themselves”.

He added: “However, it would be a good idea to only autofill your password with user interaction to prevent credentials from being stolen.”

Heyes reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: portswigger.net

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This