@jenniferplusplus@hachyderm.io oh, then maybe I should report that other case as well...
hazelnoot@enby.life
@hazelnoot@enby.life
Posts
-
All Mastodon versions until v4.3.8 and v4.2.21 allow arbitrary user-facing URLs for remote accounts, posts, and media attachments without any verification, which can be used by attackers for XSS attacks.Lol, I raised similar concerns about this behavio... -
All Mastodon versions until v4.3.8 and v4.2.21 allow arbitrary user-facing URLs for remote accounts, posts, and media attachments without any verification, which can be used by attackers for XSS attacks.Lol, I raised similar concerns about this behavio...@jenniferplusplus@hachyderm.io It used to accept anything, including links to other posts on other instances. It's not spoofing like the vulns we had to fix for sharkey, but spoofing in the sense that you could direct to a phishing link or something.
-
All Mastodon versions until v4.3.8 and v4.2.21 allow arbitrary user-facing URLs for remote accounts, posts, and media attachments without any verification, which can be used by attackers for XSS attacks.Lol, I raised similar concerns about this behavio...All Mastodon versions until v4.3.8 and v4.2.21 allow arbitrary user-facing URLs for remote accounts, posts, and media attachments without any verification, which can be used by attackers for XSS attacks.
Lol, I raised similar concerns about this behavior a whole year ago, and people told me I had to be wrong because Mastodon wouldn't make such an obvious oversight
(my concern was about spoofing / phishing rather than XSS, but it's the same but it code at fault)
RE: https://mastodon.social/users/MastodonEngineering/statuses/114461656642664237