As Mastodon experiences explosive user growth as a replacement for Twitter, infosec experts are pointing out security holes in the social media network. From an anonymous server collecting user information to configuration errors that create vulnerabilities, the increased popularity of the platform is leading to increased scrutiny of its flaws.
Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other, but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.
One of the most popular “instances” — the Mastodon term for individual servers/communities — for the cybersecurity community is infosec.exchange, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on infosec.exchange), a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.
In another example from a recent Security Week article, Lenin Alevski (@alevsk on infosec.exchange), a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance’s S3 cloud storage bucket.
Finally, researcher Anurag Sen (@hak1mlukha on infosec.exchange) discovered an anonymous server that was scraping Mastodon user data.
Twitter Users Flock to Mastodon
Until recently, Mastodon was considered part of the social-media underground, an alternative to Twitter created in 2016 as an escape hatch in the face of buyout rumors. When Elon Musk first agreed to buy the microblogging behemoth back in April, Mastodon gained 30,000 new users in a day, compared to a more typical growth of below 2,000 a day. But that’s a drop in the bucket compared to the 135,000 new users who joined on Nov. 7.
“Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you’d do those things in person in a town square or public coffee shop. In short, don’t use Mastodon to send sensitive, personal, or private information you wouldn’t be comfortable posting publicly anyway,” said Melissa Bischoping, director and endpoint security research specialist at Tanium, via email.
“Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model,” added David Maynor, senior director of threat intelligence at Cybrary. “My moving advice is firmly ‘buyer beware.'”