 This message for everyone on the fediverse: First, please ensure you go into your account settings and enable two/multi factor authentication. No, I mean do it right now. I’ll wait till you’re done. … … Ok, thank you. Now, if you are the admin of a mastodon instance, please go upgrade to 4.0.2 ASAP. Background: https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp 39 comments
 @AtomicMaya @jerry Thank you for sharing. I scheduled the update for tomorrow, but based on this info I'm going to run the upgrade now after a backup @jerry beat me to it. I mean, if someone in the infosec community didn't immediately set up MFA, that's a paddlin'. @jerry Can someone tell me where 2FA resides cause I can't seem to fin it in the Settings.   @jerry No 2FA on akkoma I believe, which is too bad. Interesting vulnerability though. Good thing I've long stopped using chrome autofill for my passwords. I believe more of these vulnerabilities will be found in the future. They are part of the growing pains of a hobby-size platform growing up.
@staustellsimon you have to do it through the web interface- most mobile apps don’t expose that setting  Probably best to set 2FA/SA up via web on a PC. You'll need your phone free for the setup anyway 😉🤷♂️ @jerry  @jerry seems MFA is mitigating the issue of having a password manager autofilling credentials. *Disable autofill* @carlosmelero @jerry Thankfully that is always my default setup. It's always a little less convenient, but I've never trusted autofill because of stuff like this.  @jerry For those who are struggling to find the link, it's hiding here. @JessTheUnstill that works for me, and clearly shows 2FA under Account, but not when I browse to Account, odd @JessTheUnstill hmmmm now it is, and now I just dont know if I was being completely stupid or not @staustellsimon Yeah I spent a while looking for MFA myself. It wasn't obvious at first. I think it's because Account isn't expanded by default. So you click on https://infosec.exchange/auth/edit and there's nothing on that page for MFA. It's not until you go BACK to the menu that you see the MFA sub menu.  Enabling #2FA was one of the things which I did soon after creating my account (while looking to see what configuration options were present). Just as well that I did. |
Gregory's Server
@jerry thank you J!