Since Twitter’s recent acquisition, many users have been looking for a Twitter replacement. This has resulted in a growing popularity in the decentralised micro-blogging platform Mastodon. With its increase popularity, it is also getting more scrutiny. Port Swigger, a web security company, discovered a way to steal passwords using a HTML injection vulnerability. They were able to demonstrate this on the infosec.exchange mastodon instance. Mastodon issued a patch in less than a week and the infosec.exchange instance has been patched. However being a decentralised social network, there are hundreds of public and private mastodon instances which also needs to be patch, so this vulnerability is most likely still in the wild and exploitable.
https://portswigger.net/daily-swig/mastodon-users-vulnerable-to-password-stealing-attacks
https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp
This segment was created for the It’s 5:05 podcast