Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/privacybrowser/statuses/109357257979153372">Soren Stoutner (privacybrowser@fosstodon.org)'s status on Thursday, 17-Nov-2022 14:50:31 JST</a><a href="https://fosstodon.org/@privacybrowser" title="privacybrowser@fosstodon.org"><img src="https://gnusocial.jp/avatar/11548-48-20220928192213.webp" width="48" height="48" alt="Soren Stoutner" style="position: absolute; left: 0; top: 0;">Soren Stoutner</a></section><article><p>Stealing passwords from infosec Mastodon - without bypassing CSP | PortSwigger Research – <a href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp" rel="nofollow noreferrer">https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp</a></p><p>“My next test was with Chrome autofill - would the password get filled in automatically by Chrome? Of course it would, and without any user interaction!”</p><p>This is one of the reasons why your password manager should never be integrated with your browser.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/545996#notice-874612">In conversation</a><time datetime="2022-11-17T14:50:31+09:00" title="Thursday, 17-Nov-2022 14:50:31 JST">Thursday, 17-Nov-2022 14:50:31 JST</time> <span>from <span><a href="https://fosstodon.org/@privacybrowser/109357257979153372" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@privacybrowser/109357257979153372">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: portswigger.net</div><h5><a href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">Stealing passwords from infosec Mastodon - without bypassing CSP</a></h5><div></div></header><div>The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Soren Stoutner (privacybrowser@fosstodon.org)'s status on Thursday, 17-Nov-2022 14:50:31 JST Soren Stoutner
Stealing passwords from infosec Mastodon - without bypassing CSP | PortSwigger Research – https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp
“My next test was with Chrome autofill - would the password get filled in automatically by Chrome? Of course it would, and without any user interaction!”
This is one of the reasons why your password manager should never be integrated with your browser.
In conversation3 years ago from fosstodon.orgpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: portswigger.net
  Stealing passwords from infosec Mastodon - without bypassing CSP
  The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP. Everybody on our Twitter feed seemed to be jumping ship to the infose

Public

Embed Notice

HTML Code

Corresponding Notice