Mastodon has been getting a lot of attention recently as disenchanted Twitter users flee Twitter in the wake of Elon Musk’s takeover. The Federated open-source social network offers a more decentralized version of social media that stands in contrast to the billionaire-owned version that is Twitter. It may sound refreshing and more in tune with ideas of freedom from dominion, but as Mastodon has been growing in popularity, security experts have been taking to the service to investigate for any particular threats that we should worry about. Here is a quick look at what they have found.
A report by Dark Reading, which is a blog covering and run by the cybersecurity community, has brought together a series of vulnerabilities that have been raised by community members. These include an HTML injection vulnerability and a system misconfiguration that could potentially open up control to a malicious third party.
The HTML injection vulnerability, which has been highlighted by PortSwigger researcher Gareth Heyes could open up the possibility for infosec passwords to be stolen from Mastodon. The system misconfiguration brought to the attention of the cybersecurity community by Lenin Alevski from MinIO offers the possibility for a scammer to download, modify, or even delete everything from a particular server. A third vulnerability raised by Anurag Sen offers malicious actors the chance to scrape user data from a Mastodon server at scale.
In themselves, these issues do not need to set the alarm bells ringing for new Mastodon users. This is mostly how the cybersecurity community works, highlighting vulnerabilities and issues in a service or site, which the company then sets about trying to fix. What is interesting here is that the cybersecurity community is starting to pay more attention to Mastodon as more and more users are signing up. The flip of this is that there will no doubt be a host of scammers out there also trying to take advantage of Mastodon’s new users as they try to familiarize themselves with the tricky interface and not-so-friendly user interface.