Normalization gone wrong, Mastodon, when attempting to normalize a domain would intend to remove any trailing /from it, however they did this using .delete("/") which removes all / characters from the string instead of just a trailing /. This meant that someone could use an account like someone@mastodon.so/cial to spoof the account someone@mastodon.social.