Security experts are laying Mastodon's flaws bare

Mastodon social media platform
(Image credit: Mastodon)

The rising popularity of Mastodon, partly as a side-effect of Elon Musk buying Twitter, has triggered a wave of vulnerability discoveries in the app.

Cybersecurity researchers using the platform recently discovered three separate vulnerabilities that could allow threat actors to tamper with the data, and even download it. 

For example, a researcher at PortSwigger, Gareth Heyes, discovered an HTML injection vulnerability. A security software engineer from MinIO, Lenin Alevski, discovered a system misconfiguration that allowed him to download, modify, and even delete, everything sitting in a Mastodon instance’s S3 cloud storage bucket, and Anurag Sen found an anonymous server scraping Mastodon user data.

Thousands of new users

Every time there is tectonic movement on a social media platform, some users decide it’s for the best to just move elsewhere. 

Elon Musk’s recent Twitter acquisition is no different, with some reports claiming that Mastodon has had as many as 30,000 new users coming in every day, in the days leading up to the acquisition (up from the usual 2,000 a day). On November 7, Mastodon got 135,000 new people.

Increasing popularity also means increased scrutiny, which isn’t necessarily a bad thing. Mastodon was always perceived as a good alternative to Twitter, and discovering and remedying various vulnerabilities can only make it a stronger competitor. 

Unlike the blue bird, Mastodon is a decentralized social platform, comprising a series of servers that can communicate with one another but are essentially run separately, with separate rules and configurations. These servers and communities are called instances. 

Talking to the publication, Melissa Bischoping, director and endpoint security research specialist at Tanium, warned users against sharing sensitive data via the platform. 

“Don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," she said. 

Via: Dark Reading

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.