Bejesus
The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP.
Stealing passwords from infosec Mastodon - without bypassing CSP
https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp
Lol. Yes. This is VERY bad. and Nope COSO is not vulnerable to this attack.
@th3j35t3r cheeky lil lol there 😉
@th3j35t3r @voltronic @ecksmc if we joined coso before the fork, and changed pw recently, we good?
@LaurelGreen @voltronic @ecksmc
You're all good either way.
@th3j35t3r @LaurelGreen @voltronic @ecksmc
But.. but... CoSo is basically Masto... 🤣
@BillyBones @th3j35t3r @LaurelGreen @ecksmc
I wonder how all those infosec people who joined that instance will feel about this news.
I was surprised so many of thoseb people went there instead of here, when this has been an established thing for years.
@voltronic All I can think is that they're 'louder'. And while we obviously encourage new Cosonauts, I prefer our more understated way of "Try it but we don't tolerate idiots" rather than "Come on into our home and help yourselves to whatever's in the cupboards" 👍
@BillyBones
There's also the semi-organized disinfo campaign against CoSo going on the past few weeks.
@voltronic @BillyBones @th3j35t3r @LaurelGreen @ecksmc Whenever I see someone talking smack about CoSo I post about all the positive things here and debunk their absolute nonsense and am usually not alone in doing so. That crap really frosts my cha-cha!!
@ecksmc 🎵 This is why we sanitize our inputs
Your frontend is your foe~
When you let full tags go in
And don't allowlist text only
Then you'll be vulner-a-ble~ 🎵
@ecksmc
Um, this is bad.
@th3j35t3r
J, I'm guessing we're not vulnerable to this here?