Patched bug could have leaked credentials

Mastodon users vulnerable to password-stealing attacks

Attackers could steal password credentials from Mastodon users due to a vulnerability in Glitch, a fork of Mastodon, a researcher has warned.

Mastodon has risen in popularity in recent weeks, as many users moved to the social media platform as a replacement for Twitter, recently acquired by controversial businessman Elon Musk.

“Everybody on infosec Twitter seemed to be jumping ship to the Mastodon server, so I decided to see what the fuss was all about,” Gareth Heyes, of PortSwigger Research*, wrote in a blog post released today.

Heyes found he was able to steal users’ stored credentials using Chrome’s autofill feature by tricking them into clicking a malicious element he had disguised as a toolbar.

Read more of the latest news about web security vulnerabilities

After discovering that Mastodon allows users to post HTML, Heyes found out from other users that he was able to spoof a blue ‘official’ tick in his username by inputting :verified:.

He placed the :verified: string inside an anchor text node that was inside the title attribute by doing the following:

Input: <abbr title="<a href='https://blah'>:verified:</a>><iframe src=//>">

Output: <abbr title="<a href='https://blah'><img draggable=" false" … >><iframe src=//>

This allowed Heyes to successfully bypass the HTML filter due to the replacement of the verified placeholder with an image that contained double quotes.

“The filter was completely destroyed as I could just inject arbitrary HTML, but one last thing stood in my way: they used a relatively strict Content Security Policy (CSP),” wrote Heyes.

“Pretty much each resource was limited to, with the exception of iframes which allowed any HTTPS URL.”


Heyes then realised he could inject form elements, allowing him to spoof a password form which, when combined with Chrome autofill, would allow an attacker access to the credentials.

Worse still, the researcher was able to spoof the toolbar below. Where a user clicked on any elements of the spoofed toolbar, it would send their credentials to an attacker's server.

Heyes tested Chrome to see if it would still autofill the credentials when the inputs were invisible. If an attacker used an opacity value of zero, Chrome would still conveniently fill in the credentials.

Due to the CSP, Heyes couldn’t use inline styles. However, looking at the CSS files, he found a class that had opacity:0 “in a couple of seconds”, which “worked perfectly”.

He explained to The Daily Swig: “Add the PoC code into post text area and hit publish – [the] user sees [the] post and clicks on what they think is a Mastodon toolbar. Credentials are [then] sent to an external server.

“In a real attack the credentials will be stored and the user redirected back to the site.”


Any Mastodon instance using the Gitch fork of Mastodon is vulnerable, Heyes explained, adding that since the server is vulnerable, “there’s not much a user can do to protect themselves”.

He added: “However, it would be a good idea to only autofill your password with user interaction to prevent credentials from being stolen.”

Heyes reported the bug directly to Glitch. Contributors have released a patch for the issue, which is available on the Glitch repo.

* PortSwigger Research is the research arm of PortSwigger Ltd, the parent company of The Daily Swig.

YOU MAY ALSO LIKE Google Pixel screen-lock hack earns researcher $70k