It doesn't take a genius to know that because you can...

It doesn't take a genius to know that because you can log in repeatedly (there's no CAPTCHA etc) you could just credential stuff Mastodon instances until you get accounts, and then delete them. It will almost certainly happen somewhere.

At the minute the development focus is on new features but I suspect they'll have to be a regroup on basic threats.

I think cred stuffing may be a big issue, you can try to log in 200k times an hour and nothing shows in the admin interface as wrong.

Like 3 Jan 2023 at 14:36 | Open on cyberplace.social

5 comments

Richard Bairwell

@GossiTheDog There are rate limits on the login system (according to one of the main devs on the Discord).

3 Jan 2023 at 14:44 | Open on mastodon.org.uk

Kevin Beaumont

@rbairwell yeah but they're super easy to bypass

3 Jan 2023 at 14:44 | Open on cyberplace.social

helge

@GossiTheDog

#calckey has a CAPTCHA on signup, not to signin.

I'm sure there is a fork somewhere with captchas to sign in. So the mysterious "they" of Mastodon development have already done the work. It just needs to be spread around.

3 Jan 2023 at 14:44 | Open on mas.to

BenB

@GossiTheDog
Using #crowdsec could help mitigate that, wouldn't allow the attacker to attempt 200K logins. Even using rotating IP's etc..

3 Jan 2023 at 14:45 | Open on osintua.eu

BenB

@GossiTheDog
For convenience
https://crowdsec.net

I just wish there was a #mastodon recipe for crowdsec so to take any attempts to brute force login into consideration and ban +sharing IP of bad actor with the community so that everyone can benefit from the ban of said bad actor.

3 Jan 2023 at 14:52 | Open on osintua.eu