Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/jerry/statuses/109348246444608881">Wary Jerry (jerry@infosec.exchange)'s status on Tuesday, 15-Nov-2022 23:42:23 JST</a><a href="https://infosec.exchange/@jerry" title="jerry@infosec.exchange"><img src="https://gnusocial.jp/avatar/5390-48-20250404172553.webp" width="48" height="48" alt="Wary Jerry" style="position: absolute; left: 0; top: 0;">Wary Jerry</a></section><article><p>This message for everyone on the fediverse: </p><p>First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done. </p><p>…</p><p>…  </p><p>Ok, thank you. </p><p>Now, if you are the admin of a mastodon instance, please go upgrade to 4.0.2 ASAP. </p><p>Background: <a href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp" rel="nofollow noreferrer">https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/513879#notice-829891">In conversation</a><time datetime="2022-11-15T23:42:23+09:00" title="Tuesday, 15-Nov-2022 23:42:23 JST">Tuesday, 15-Nov-2022 23:42:23 JST</time> <span>from <span><a href="https://infosec.exchange/@jerry/109348246444608881" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@jerry/109348246444608881">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: portswigger.net</div><h5><a href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">Stealing passwords from infosec Mastodon - without bypassing CSP</a></h5><div></div></header><div>The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Wary Jerry (jerry@infosec.exchange)'s status on Tuesday, 15-Nov-2022 23:42:23 JST Wary Jerry
This message for everyone on the fediverse:
First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done.
…
…
Ok, thank you.
Now, if you are the admin of a mastodon instance, please go upgrade to 4.0.2 ASAP.
Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp
In conversationTuesday, 15-Nov-2022 23:42:23 JST from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: portswigger.net
  Stealing passwords from infosec Mastodon - without bypassing CSP
  The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

Public

Embed Notice

HTML Code

Corresponding Notice