If you haven’t heard of Mastodon, it is a decentralized social media platform that users are flocking to to replace Twitter. After Elon Musk purchased Twitter recently, and laid off many Twitter employees, users were looking for a replacement. While Mastodon is different from the extremely popular social media networking site, known for “tweets”, people are checking it out nonetheless.
Recently, a researcher found they were able to access users’ stored credentials using Chrome’s autofill feature. All they did was trick them into clicking a malicious element disguised as a toolbar, within Mastodon.
They were also able to use the HTML feature to spoof a blue ‘official’ tick in their username by inputting:verified.
Any Mastodon instance using the Gitch fork* is vulnerable. Since the server is at-risk, there is not much a user can do to protect themselves.
The best thing to do to is to only autofill your password with user interaction to prevent credentials from being stolen.
The researcher reported the bug directly to Mastodon, and contributors have released a patch to fix the issue, which is available on the Glitch Repo.
Would you use Mastodon? For more information on how to use it, here is a beginner’s guide.
What IS a bug?
A bug is a flaw or vulnerability in the software or hardware design that can be potentially exploited by attackers. Bugs are oftentimes mistakes made by the programmer or are things that are overlooked. In the case of Mastodon, the programmer probably wasn’t thinking about security when he was creating the code that runs Mastadon. Companies that encourage people to find bugs in their designs offer bug bounties, which are rewards, oftentimes money, for discovering an unknown bug.
*Glitch fork is certain version of Mastodon — so any instance using this version was vulnerable to the exploit