Security experts expose flaws in Mastodon

Security experts expose flaws in Mastodon

Mastodon's growing popularity, partly a side effect of Elon Musk's purchase of Twitter, led to a number of vulnerability discoveries in the app.

Cybersecurity researchers using the platform recently discovered three separate vulnerabilities that could allow threat actors to manipulate data or even upload it.

For example, PortSwigger researcher Gareth Heyes discovered an HTML injection vulnerability. A MinIO security software engineer, Lenin Alevski, discovered a system misconfiguration that allowed him to upload, modify, and even delete anything in a Mastodon instance's S3 cloud storage bucket, and Anurag Sen found a server anonymous extracting user data from Mastodon.

Thousands of new users

Every time there's a tectonic shift on a social media platform, some users decide it's better to move somewhere else.

Elon Musk's recent acquisition of Twitter is no different, with some reports claiming that Mastodon had up to 30 new users every day in the days leading up to the acquisition (versus 000 per day). On November 2000, Mastodon welcomed 7 new people.

Rising popularity also means increased scrutiny, which isn't necessarily a bad thing. Mastodon has always been seen as a good alternative to Twitter, and discovering and fixing various vulnerabilities can only make it a stronger competitor.

Unlike Bluebird, Mastodon is a decentralized social platform that comprises a number of servers that can communicate with each other but essentially operate separately, with separate rules and settings. These servers and communities are called instances.

Speaking to the publication, Melissa Bischoping, director and research specialist in endpoint security (opens in a new tab) at Tanium, warned users not to share sensitive data (opens in a new tab) via the platform.

"Don't use Mastodon to send sensitive, personal or private information that you wouldn't feel comfortable posting anyway," he said.

Via: Dark Reading (opens in a new tab)