|
Top-level
Kevin Beaumont
There's definitely some fun Mastodon security issues which will appear at some point, e.g. if anybody gets admin at an instance you can bulk select every user and delete them - even if you restore the instance from backup, every other instance has wiped them = no followers etc. The first admin account on every instance has no MFA by default. 6 comments
Richard Bairwell (main)
@GossiTheDog There are rate limits on the login system (according to one of the main devs on the Discord).
BenB
@GossiTheDog
BenB
@GossiTheDog I just wish there was a #mastodon recipe for crowdsec so to take any attempts to brute force login into consideration and ban +sharing IP of bad actor with the community so that everyone can benefit from the ban of said bad actor. |
Gregory's Server
It doesn't take a genius to know that because you can log in repeatedly (there's no CAPTCHA etc) you could just credential stuff Mastodon instances until you get accounts, and then delete them. It will almost certainly happen somewhere.
At the minute the development focus is on new features but I suspect they'll have to be a regroup on basic threats.
I think cred stuffing may be a big issue, you can try to log in 200k times an hour and nothing shows in the admin interface as wrong.