Email or username:

Password:

Forgot your password?
Kevin's posts Post Back to profile
Top-level
Kevin Beaumont

There's definitely some fun Mastodon security issues which will appear at some point, e.g. if anybody gets admin at an instance you can bulk select every user and delete them - even if you restore the instance from backup, every other instance has wiped them = no followers etc.

The first admin account on every instance has no MFA by default.

3 Jan 2023 at 14:28 | Open on cyberplace.social
6 comments
Kevin Beaumont

It doesn't take a genius to know that because you can log in repeatedly (there's no CAPTCHA etc) you could just credential stuff Mastodon instances until you get accounts, and then delete them. It will almost certainly happen somewhere.

At the minute the development focus is on new features but I suspect they'll have to be a regroup on basic threats.

I think cred stuffing may be a big issue, you can try to log in 200k times an hour and nothing shows in the admin interface as wrong.

3 Jan 2023 at 14:36 | Open on cyberplace.social
Richard Bairwell

@GossiTheDog There are rate limits on the login system (according to one of the main devs on the Discord).

3 Jan 2023 at 14:44 | Open on mastodon.org.uk
helge

@GossiTheDog

#calckey has a CAPTCHA on signup, not to signin.

I'm sure there is a fork somewhere with captchas to sign in. So the mysterious "they" of Mastodon development have already done the work. It just needs to be spread around.

3 Jan 2023 at 14:44 | Open on mas.to
BenB

@GossiTheDog
Using #crowdsec could help mitigate that, wouldn't allow the attacker to attempt 200K logins. Even using rotating IP's etc..

3 Jan 2023 at 14:45 | Open on osintua.eu
BenB

@GossiTheDog
For convenience
crowdsec.net

I just wish there was a #mastodon recipe for crowdsec so to take any attempts to brute force login into consideration and ban +sharing IP of bad actor with the community so that everyone can benefit from the ban of said bad actor.

3 Jan 2023 at 14:52 | Open on osintua.eu
Go Up