Conversation

Notices

1. Embed this notice
   Wary Jerry (jerry@infosec.exchange)'s status on Tuesday, 15-Nov-2022 23:42:23 JST Wary Jerry

   This message for everyone on the fediverse:

   First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done.

   …

   …

   Ok, thank you.

   Now, if you are the admin of a mastodon instance, please go upgrade to 4.0.2 ASAP.

   Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp

   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Nov-2022 04:25:16 JST Alex Gleason

     in reply to
     @jerry The real vulnerability is that Chrome autofills passwords into iframes. What the hell? Is that for real?
   • Embed this notice
     Alex Gleason (alex@gleasonator.com)'s status on Wednesday, 16-Nov-2022 04:29:44 JST Alex Gleason

     in reply to

     • Alex Gleason

     @jerry Okay, the reason it’s not an issue for other types of embeds is because we use the sandbox attribute and disallow form submissions. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox

   • Embed this notice
     Ren ? (rogueren@vt.social)'s status on Wednesday, 16-Nov-2022 11:42:06 JST Ren ?

     in reply to

     • Asahi Linya (朝日りにゃ〜)
     • Luna ??? //nullptr::live

     @jerry @lina @LunaFoxgirlVT I assume you're aware of this?

   • Embed this notice
     Asahi Linya (朝日りにゃ〜) (lina@vt.social)'s status on Wednesday, 16-Nov-2022 11:42:06 JST Asahi Linya (朝日りにゃ〜)

     in reply to

     • Luna ??? //nullptr::live
     • Ren ?

     @rogueren @jerry @LunaFoxgirlVT I just woke up and updated it ^^

   • Embed this notice
     Ren ? (rogueren@vt.social)'s status on Wednesday, 16-Nov-2022 14:20:10 JST Ren ?

     in reply to

     • Asahi Linya (朝日りにゃ〜)
     • Luna ??? //nullptr::live

     @lina @jerry @LunaFoxgirlVT awesome!