fsebugoutzone.org:9999

       Post APdeQ28ToWLxPNS8PY by grendel84@tiny.tilde.website
 (DIR) More posts by grendel84@tiny.tilde.website
 (DIR) Post #APdO4dyopa8f8tiFMW by tinker@infosec.exchange
       2022-11-15T17:07:45Z
       
       3 likes, 6 repeats
       
       Lol, when a bunch of hackers migrate to new services, they tend to kick the tires a bit 😂.Here, some hackers found a way to steal Mastodon passwords by manipulating the way Mastodon allows (and sidestepping the way Mastodon protects) HTML imbedded into posts.It also highlights the ways that third party plugins (here Glitch, found on the Mastodon server infosec(dot)exchange and others) introduce interesting attack vectors that core maintainers don&#39;t initially control (thoughts go out to Wordpress).The hackers then reported the issues to the Mastodon team and the Glitch team so they could issue security patches.Big shoutout for finding/reporting the vuln:@gaz@albinowaxKudos to the Mastodon &amp; Glitch teams for coordinating and issuing a timely security patch.I expect we&#39;ll see a lot of more of these initially (this is good, means the website is getting more secure).Takeaways:Users: Consider changing your Mastodon password. Implement Multi-Factor Authentication.Admins: Update to the latest Mastodon version. Update any plugins as well.Full writeup here: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp#infosec #WebAppPentesting #hacking #BugHunting
       
 (DIR) Post #APdU01IBKQK1imwpHc by feld@bikeshed.party
       2022-11-15T18:14:43.450703Z
       
       0 likes, 0 repeats
       
       @tinker @gaz @albinowax I&#39;d be curious to know if our HTML sanitizer in Pleroma is vulnerable as well
       
 (DIR) Post #APdUvIw0PJ7SwbtGrI by tinker@infosec.exchange
       2022-11-15T18:18:27Z
       
       0 likes, 0 repeats
       
       @feld @albinowax @gaz - The article puts out a solid exploit code as well as methodology around it....Only one way to find out!!!
       
 (DIR) Post #APdUvJNekVEmKMpLxQ by feld@bikeshed.party
       2022-11-15T18:25:11.019219Z
       
       0 likes, 0 repeats
       
       @tinker @albinowax @gaz Seriously but while we&#39;re on the topic can Infosec Mastodon PLEASE scream from the mountaintops that having OAuth tokens that never expire is NOT okay?Please?
       
 (DIR) Post #APdWAwI4StZPIoELxo by amberage@eldritch.cafe
       2022-11-15T18:16:34Z
       
       0 likes, 0 repeats
       
       @tinker ......there is 2FA in Mastodon? Last time I checked I didn&#39;t find an option for that anywhere.
       
 (DIR) Post #APdWAwgWzx8UWfft5c by tinker@infosec.exchange
       2022-11-15T18:20:27Z
       
       0 likes, 0 repeats
       
       @amberage - Yep!To set up Multi-Factor Authentication (MFA) on Mastodon:Click settingsGo to AccountThen to Two-Factor AuthClick on SET UP and go!!!!!#feditips
       
 (DIR) Post #APdWAx7pMSyDtKRgdU by amberage@eldritch.cafe
       2022-11-15T18:23:16Z
       
       0 likes, 0 repeats
       
       @tinker neat that it exists, sucks that it only exists for smartphone users
       
 (DIR) Post #APdWAxbxYR4bOmXkbQ by tinker@infosec.exchange
       2022-11-15T18:32:09Z
       
       0 likes, 0 repeats
       
       @amberage - You can use TOTP MFA on a desktop computer as well.So if you&#39;re not using a smart phone to view Mastodon but you are using a desktop computer to view it, you can download something like KeePassXC to use MFA.Userguide on using KeePassXC to set up a TOTP MFA token: https://keepassxc.org/docs/KeePassXC_UserGuide.html#_adding_totp_to_an_entry
       
 (DIR) Post #APdWAy2Byu3ai8ohUW by joyo@thejoyo.com
       2022-11-15T18:39:32.266491Z
       
       0 likes, 0 repeats
       
       @tinker @amberage interesting to me is the option to use Firefox as a password store for apps now on Android 13.Here&#39;s hoping KeePass clients can implement this interface.I&#39;m using KeeWeb but I&#39;ll switch in a heartbeat.
       
 (DIR) Post #APdWEzbE6X24iu7hAW by feld@bikeshed.party
       2022-11-15T18:39:51.766573Z
       
       0 likes, 0 repeats
       
       @tinker @albinowax @gaz OK let&#39;s make that same HTML with an emoji I have hereiex(9)&gt; html = ~s|&lt;abbr title=&quot;&lt;a href=&#39;https://blah&#39;&gt;:awesome::awesome:&lt;/a&gt;&lt;iframe src=//garethheyes.co.uk/&amp;gt;\&amp;quot;&amp;gt;&amp;quot;Let&amp;#39;s expand the emojiiex(12)&amp;gt; emoji_expanded = Pleroma.Emoji.Formatter.emojify(html)&amp;quot;&amp;lt;abbr title=\&amp;quot;&amp;amp;lt;a href=&amp;amp;#39;https://blah&amp;#39;&amp;amp;gt;&amp;amp;lt;img class=&amp;amp;#39;emoji&amp;amp;#39; alt=&amp;amp;#39;awesome&amp;amp;#39; title=&amp;amp;#39;awesome&amp;amp;#39; src=&amp;amp;#39;/emoji/awful/awesome.gif&amp;#39; /&amp;amp;gt;&amp;amp;lt;/a&amp;amp;gt;&amp;amp;lt;iframe src=//garethheyes.co.uk/&amp;gt;\&amp;quot;&amp;gt;&amp;lt;/abbr&amp;gt;&amp;quot;It re-encoded it with HTML entities. Let&amp;#39;s run it through the scrubber.iex(13)&amp;gt; FastSanitize.Sanitizer.scrub(emoji_expanded, Pleroma.HTML.Scrubber.Default){:ok, &amp;quot;&amp;lt;abbr title=\&amp;quot;&amp;amp;lt;a href=&amp;amp;#39;https://blah&amp;#39;&amp;amp;gt;&amp;amp;lt;img class=&amp;amp;#39;emoji&amp;amp;#39; alt=&amp;amp;#39;awesome&amp;amp;#39; title=&amp;amp;#39;awesome&amp;amp;#39; src=&amp;amp;#39;/emoji/awful/awesome.gif&amp;#39; /&amp;amp;gt;&amp;amp;lt;/a&amp;amp;gt;&amp;amp;lt;iframe src=//garethheyes.co.uk/&amp;gt;\&amp;quot;&amp;gt;&amp;lt;/abbr&amp;gt;&amp;quot;}I&amp;#39;m not sure you can do much with this. The decoded result is:&amp;lt;abbr title=\&amp;quot;&amp;lt;a href=&amp;#39;https://blah&#39;&gt;&lt;img class=&amp;#39;emoji&amp;#39; alt=&amp;#39;awesome&amp;#39; title=&amp;#39;awesome&amp;#39; src=&amp;#39;/emoji/awful/awesome.gif&#39; /&amp;gt;&amp;lt;/a&amp;gt;&amp;lt;iframe src=//garethheyes.co.uk/&amp;gt;\&amp;quot;&amp;gt;&amp;lt;/abbr&amp;gt;
       
 (DIR) Post #APdeQ28ToWLxPNS8PY by grendel84@tiny.tilde.website
       2022-11-15T20:11:25Z
       
       1 likes, 0 repeats
       
       @feld @albinowax @gaz @tinker Ugh, just last week I found a dev had created a client secret that doesn&#39;t expire until 2299 (the system doesn&#39;t allow this anymore).He seemed miffed when I nuked the secret and created a new one with a 2 year expiration.
       
 (DIR) Post #APdxd57Lw9rHY9rRPU by barrowofdirt@mastodon.lol
       2022-11-15T23:26:23Z
       
       0 likes, 0 repeats
       
       @tinker Hackers are amazing to me, a cross between a wizard and a thief in a role playing game. Arcane knowledge and bypassing locks. I&#39;m in awe.
       
 (DIR) Post #APdxd5V6VqrCjoyPQm by tinker@infosec.exchange
       2022-11-15T23:45:25Z
       
       1 likes, 0 repeats
       
       @barrowofdirt - I find it absolutely wonderful. Some of the folks that I&#39;ve run into are absolutely proper mages. The deep arcanum obscura that they posses is proper, as you say, awe inspiring.That said... what I found truly wonderful is that hackers don&#39;t necessarily possess the ways to hack any given thing, though they certainly build some of that up over time.Instead, hackers possess a truly deep knowledge on how to approach ANY problem and sus out whatever solution they are going to.That blows me away.
       
 (DIR) Post #APe5l5LHmi1CCGhnRA by Rickster@mas.to
       2022-11-15T22:15:43Z
       
       0 likes, 0 repeats
       
       @tinker @gaz @albinowax Passwords were hacked. “this is good, means the website is getting more secure.” 🙄 I hope there is a better plan than trying to spin this.
       
 (DIR) Post #APe5l5rXqlp3oJnYie by tinker@infosec.exchange
       2022-11-15T23:51:06Z
       
       0 likes, 1 repeats
       
       @Rickster @gaz @albinowax Oh, friend... this is what we do.Those hackers did NOT hack any passwords.They SPECIFICALLY found a way that passwords COULD be hacked (and demonstrated it with their own passwords).Probably a better term for this sort of activity is: Security Quality AssuranceThey TESTED the security. Found a part that needed to be fixed. And brought it to the attention of the Mastodon/Glitch developers - who fixed it.They didn&#39;t CREATE a vulnerability. They FOUND a vulnerability that already existed.Because of their actions, Mastodon is currently MORE SECURE than it was before they put their attention to it.#infosec #hacking #HackingIsNotACrime
       
 (DIR) Post #APfBxrKC0UHxMyd0zo by spla@mastodont.cat
       2022-11-16T07:23:16Z
       
       0 likes, 0 repeats
       
       @feld by default, Akkoma&#39;s (fork of Pleroma) OAuth2 tokens&#39;s lifetime is like this. Seems too much time.  @albinowax @gaz @tinker
       
 (DIR) Post #APfBxrmYJ2yQmvtfCS by feld@bikeshed.party
       2022-11-16T14:02:06.538956Z
       
       0 likes, 1 repeats
       
       @spla @albinowax @gaz @tinker This is on purpose because we need to do this for Mastodon appsPleroma was the first to push for OAuth token renewal/expiration and implemented it, but it broke all the Mastodon appsTheres an issue or thread somewhere about this. My memory is that Gargron refused to implement the expiring tokens because there were too many Mastodon apps that would cause forced logouts and that would be bad for the ecosystemBut this problem was caused initially by Mastodon doing the wrong thing and never even trying to fix it
       
 (DIR) Post #APfCD1NYuJW0tdQyki by yes@social.handholding.io
       2022-11-16T14:05:14.715353Z
       
       0 likes, 0 repeats
       
       @feld @gaz @tinker @spla it isnt a bug, mastodon feature as it fits with eugen&#39;s vision or something