A researcher has cautioned that a vulnerability in Anomaly, a fork of Mastodon, could allow hackers to obtain users’ password information.

Mastodon has been more well-known recently due to people switching from Twitter, which the controversial entrepreneur Elon Musk just bought.

Gareth Heyes, a researcher, wrote in a blog post posted today. Everyone on infosec Twitter appeared to be jumping ship to the infosec.exchange Mastodon server. Then he decided to look into what the commotion was all about.”

Heyes discovered that by fooling users into clicking a fraudulent component he had posed as a toolbar, he was able to steal their saved passwords via Chrome’s autofill feature.

Heyes learned from those other users that just by entering:verified: in his username, he could fake a blue “official” check after learning that Mastodon permits users to add HTML.

He did this to insert the :verified: string into a backlink node within the headline attribute:

Input: <abbr title="<a href='https://blah'>:verified:</a>><iframe src=//garethheyes.co.uk/>">

Output: <abbr title="<a href='https://blah'><img draggable=" false" … >><iframe src=//garethheyes.co.uk/>

Heyes avoided the HTML filter because the validated placeholder was replaced with an image with double quotes.

They utilized a rather rigorous Content Security Policy (CSP), which was the final obstacle, Heyes stated. The filter was entirely destroyed. Since I could just inject random HTML, but one more item stood in my way,” he said.

Despite the exception of iframes, which permitted anything HTTPS URL, “pretty much every resource was limited to infosec.exchange.”


Heyes then recognized he could counterfeit a password form by injecting form components, which, when used in conjunction with Browser autofill, would provide an attacker to gain access to the passwords.

And to make matters worse, the researcher managed to mimic the toolbar below. When a user clicks on one of the spoof toolbar’s items, it sends their login information to an attacker’s server.

Heyes put Browser to the test to see if it would still autofill the login information while the inputs were hidden. A browser would still quickly fill in the credentials if an intruder used a transparency value of zero.

Heyes was unable to employ inline styles owing to the CSP. But after browsing through the CSS files, he quickly discovered a class with opacity:0 that “worked wonderfully.”

When a consumer sees the post and clicks on what they believe to be a Mastodon taskbar, he revealed that “Add the PoC script into the post text section and push publish. Then, passwords are transferred to an external server.

“In a true attack, the client will be sent back to the site while the passwords are kept.”


Heyes said that because the server is susceptible, “there’s nothing a user could do to defend themselves”. And that every Mastodon instance utilizing the Gitch version of Mastodon is vulnerable.

He continued to avoid passwords from being hijacked: “Therefore, it would be a great idea only to autofill the password with human input.”

Heyes contacted Glitch immediately to address the bug. On the Glitches repo, a fix for the problem has been made available by volunteers.