Conversation

Notices

1. CrunkLord420 (crunklord420@rdrama.cc)'s status on Saturday, 27-May-2023 04:29:57 JST CrunkLord420

   • Alex Gleason
   @alex would have running uMatrix immunize users (admins) against the XSS exploit? It ultimately relies on cross-domain network communication, right?
   •  (mint@ryona.agency)'s status on Saturday, 27-May-2023 04:29:57 JST 

     in reply to

     • Alex Gleason
     @crunklord420 @alex Not unless the payload is either pulled from mediaproxy or uploaded locally.
   • CrunkLord420 (crunklord420@rdrama.cc)'s status on Saturday, 27-May-2023 04:37:50 JST CrunkLord420

     in reply to

     • Alex Gleason
     @alex nice
      likes this.
   • CrunkLord420 (crunklord420@rdrama.cc)'s status on Saturday, 27-May-2023 04:37:51 JST CrunkLord420

     in reply to

     • Alex Gleason
     @alex the javascript might come from the same domain, but exfiltration of the authentication token requires you to submit it to a third party server, correct? Unless you inject a script to exfiltrate the data over ActivityPub itself.
   • Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 04:37:51 JST Alex Gleason

     in reply to
     @crunklord420 Nope. It hits /api/v1/accounts/lookup where the username is the OAuth token encoded to look like a Nostr pubkey @ mostr.fedirelay.xyz. This causes your server to make a federation request where they simply monitor the logs and pull the token out of the username... absolutely nuts. Read the code. https://i.poastcdn.org/4ed28ef4fa5e18bfa5c1f75a5c1cc759f7b718c0b600e7e2fcc6d0cdb0215f15.txt
   • Alex Gleason (alex@gleasonator.com)'s status on Saturday, 27-May-2023 04:37:52 JST Alex Gleason

     in reply to
     @crunklord420 Not sure what uMatrix is, but the exploit relies specifically on same-domain communication.