Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.
After Elon Musk acquired Twitter, he made a series of significant changes, including firing staff and modifying features, which have had a negative impact on the platform’s security. This has led to a Twitter security chief resigning and the FTC saying that they were deeply concerned.
Many Twitter users have been looking at alternatives and one of them has been Mastodon, which over the weekend reported passing more than 2 million active monthly users, with hundreds of thousands of new users signing up every week since Musk officially took over Twitter.
Mastodon has a user interface similar to Twitter, but unlike Twitter, it’s not owned by a single company. Instead, Mastodon is a free and open source software for running self-hosted social networking services.
There are thousands of individual but interconnected Mastodon servers, called instances, that users can join. Unlike Twitter, where rules decided by the company are enforced across the entire platform, each of the Mastodon instances has its own content rules.
Much of the cybersecurity community has joined the ‘Infosec.exchange’ instance on Mastodon and some researchers have already started identifying issues, including ones specific to this server and ones that could impact the entire platform.
Gareth Heyes, a researcher at PortSwigger, discovered earlier this month that the Infosec.exchange instance was affected by an HTML injection vulnerability that could have been exploited to steal users’ credentials.
The attack involved abusing Chrome’s autofill feature to steal users’ stored credentials by getting the targeted user to click on a malicious element on a page.
The issue affected a Mastodon fork named Glitch and it existed due to an HTML attribute allowed only by the developers of this fork. A patch has been released.
Lenin Alevski, a researcher working for MinIO, also discovered a potentially serious issue in Infosec.exchange this month. He identified a misconfiguration that could have been exploited to download all the files on the server, including files shared through direct messages. He could also delete all the files on the server, and replace existing files, such as profile pictures.
The administrator of the Infosec.exchange server quickly addressed the issue, but Alevski found similar problems on a couple of other popular Mastodon instances as well.
Researcher Anurag Sen reported on November 15 that he discovered someone scraping user data from Mastodon. Sen found an unprotected database storing the information of more than 150,000 users and the scraping process appeared to be ongoing. The collected data includes display name, account name, following/followers count, and the date and time of the last status update.
According to HackRead, the database, which appears to belong to a third party, can be accessed without authentication and the researcher could not determine who it belongs to.
A few other vulnerabilities have been found and fixed in Mastodon earlier this year, including a high-severity issue that could allegedly allow a remote attacker to gain unauthorized access to sensitive information, and a critical flaw that could allow brute force attacks.
SecurityWeek RSS Feed