Last week, Mastodon, the decentralized microblogging platform, patched four vulnerabilities that raised concerns about the platform’s security. The vulnerabilities, including cross-site scripting (XSS), arbitrary file creation, denial-of-service (DoS), and a weakness enabling attackers to hide parts of URLs, were discovered by Mastodon founder Eugen Rochko and assigned severity scores ranging from moderate to critical.
Although all four vulnerabilities have been patched, there are still concerns about the potential exploitation of the critical bug, known as TootRoot, which was assigned the CVE-2023-36460 designation. Security researchers have warned that many users and organizations hosting Mastodon servers have not yet patched their systems, making them vulnerable to exploitation. The file creation bug has been described as “very likely to see in the wild exploitation” by one security researcher.
The recent vulnerabilities in Mastodon have drawn parallels with the security history of Twitter. While Twitter has faced its fair share of cybersecurity issues in the past, experts argue that the nature of Mastodon’s decentralized structure introduces new security concerns for the platform. Bryan Ware, chief development officer at ZeroFox, believes that the bugs found in Mastodon are typical for an Internet platform company and points out that the visibility of these bugs is due to Mastodon being an open-source project.
Mastodon has had previous security issues, ranging from straightforward vulnerabilities like HTML injection to more systemic issues like server misconfiguration. Attackers have also targeted Mastodon, with a mysterious server scraping data from hundreds of thousands of Mastodon users being discovered last November.
The decentralized structure of Mastodon is at the heart of its security challenges. Since Mastodon servers, or instances, are operated independently, the overall security of the federated network can be influenced by the weakest link. Instances with lax security measures or outdated software versions can become targets for attackers and compromise the security of their users. This can lead to unauthorized access, denial-of-service attacks, arbitrary code execution, and social engineering attacks.
Furthermore, enterprise Mastodon instances face the risk of account takeovers, where hackers can gain unauthorized access to sensitive information, disrupt communication and collaboration, compromise user accounts, and cause reputational damage. There is also the possibility of compromising a server within the distributed network, which can extend the compromise across the ecosystem, similar to a supply chain compromise.
The responsibility of protecting Mastodon falls on the users themselves. Many Mastodon instances are managed by volunteers who may have limited time and resources to dedicate to security practices. Patches and investigations into potential incidents rely on the availability of these volunteers. The recent bugs in Mastodon were only discovered through a commissioned audit by Mozilla, highlighting the challenges faced by open-source projects in terms of resources and bug hunting.
However, the decentralized nature of Mastodon also has its advantages. With many eyes and hands looking for and fixing problems, transparency is increased compared to proprietary and closed platforms. Users have more visibility into the security of the platform and can actively contribute to its improvement.
To mitigate security risks, enterprises using Mastodon should keep their installations up to date with patches and security updates, enforce strong access controls and secure authentication mechanisms, monitor for suspicious activities, and provide security awareness training to employees. It is also crucial to have a plan in place for recovering control of compromised accounts and verifying account owners’ identities.
While Mastodon users may need to be more proactive in protecting their security compared to users of other platforms, the benefits of no advertising and strong privacy make it an attractive option for many users.