Security experts are laying Mastodon’s flaws bare

Rising popularity brings Mastodon vulnerabilities to the forefront

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The rising popularity of Mastodon, partly as a side-effect of Elon Musk buying Twitter, has triggered a wave of vulnerability discoveries in the app.

Cybersecurity researchers using the platform recently discovered three separate vulnerabilities that could allow threat actors to tamper with the data, and even download it.

For example, a researcher at PortSwigger, Gareth Heyes, discovered an HTML injection vulnerability. A security software engineer from MinIO, Lenin Alevski, discovered a system misconfiguration that allowed him to download, modify, and even delete, everything sitting in a Mastodon instance’s S3cloud storagebucket, and Anurag Sen found an anonymous server scraping Mastodon user data.

Thousands of new users

Every time there is tectonic movement on a social media platform, some users decide it’s for the best to just move elsewhere.

Elon Musk’s recent Twitter acquisition is no different, with some reports claiming that Mastodon has had as many as 30,000 new users coming in every day, in the days leading up to the acquisition (up from the usual 2,000 a day). On November 7, Mastodon got 135,000 new people.

Increasing popularity also means increased scrutiny, which isn’t necessarily a bad thing. Mastodon was always perceived as a good alternative to Twitter, and discovering and remedying various vulnerabilities can only make it a stronger competitor.

Mastodon will lose to Hive as the ‘next Twitter’ if it doesn’t fix 3 big problems>As we bury Twitter, it’s time to dig up Mastodon>These are the top authenticator apps right now

Unlike the blue bird, Mastodon is a decentralized social platform, comprising a series of servers that can communicate with one another but are essentially run separately, with separate rules and configurations. These servers and communities are called instances.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Talking to the publication, Melissa Bischoping, director andendpoint securityresearch specialist at Tanium, warned users against sharingsensitive datavia the platform.

“Don’t use Mastodon to send sensitive, personal, or private information you wouldn’t be comfortable posting publicly anyway," she said.

Via:Dark Reading

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs

Adobe’s decision to eliminate perpetual licensing for its Elements software has stirred controversy among consumers

Your next smartwatch could be battery-free – and powered by your skin