Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Security Researchers Looking at Mastodon as Its Popularity Soars

Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.

Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.

After Elon Musk acquired Twitter, he made a series of significant changes, including firing staff and modifying features, which have had a negative impact on the platform’s security. This has led to a Twitter security chief resigning and the FTC saying that they were deeply concerned.

Vulnerabilities and other security issues found in MastodonMany Twitter users have been looking at alternatives and one of them has been Mastodon, which over the weekend reported passing more than 2 million active monthly users, with hundreds of thousands of new users signing up every week since Musk officially took over Twitter.

Mastodon has a user interface similar to Twitter, but unlike Twitter, it’s not owned by a single company. Instead, Mastodon is a free and open source software for running self-hosted social networking services.

There are thousands of individual but interconnected Mastodon servers, called instances, that users can join. Unlike Twitter, where rules decided by the company are enforced across the entire platform, each of the Mastodon instances has its own content rules.

[ READ: Can Elon Musk Spur Cybersecurity Innovation at Twitter? ]

Much of the cybersecurity community has joined the ‘Infosec.exchange’ instance on Mastodon and some researchers have already started identifying issues, including ones specific to this server and ones that could impact the entire platform.

Gareth Heyes, a researcher at PortSwigger, discovered earlier this month that the Infosec.exchange instance was affected by an HTML injection vulnerability that could have been exploited to steal users’ credentials.

The attack involved abusing Chrome’s autofill feature to steal users’ stored credentials by getting the targeted user to click on a malicious element on a page.

Advertisement. Scroll to continue reading.

The issue affected a Mastodon fork named Glitch and it existed due to an HTML attribute allowed only by the developers of this fork. A patch has been released.

Lenin Alevski, a researcher working for MinIO, also discovered a potentially serious issue in Infosec.exchange this month. He identified a misconfiguration that could have been exploited to download all the files on the server, including files shared through direct messages. He could also delete all the files on the server, and replace existing files, such as profile pictures.

The administrator of the Infosec.exchange server quickly addressed the issue, but Alevski found similar problems on a couple of other popular Mastodon instances as well.

Researcher Anurag Sen reported on November 15 that he discovered someone scraping user data from Mastodon. Sen found an unprotected database storing the information of more than 150,000 users and the scraping process appeared to be ongoing. The collected data includes display name, account name, following/followers count, and the date and time of the last status update.

According to HackRead, the database, which appears to belong to a third party, can be accessed without authentication and the researcher could not determine who it belongs to.

A few other vulnerabilities have been found and fixed in Mastodon earlier this year, including a high-severity issue that could allegedly allow a remote attacker to gain unauthorized access to sensitive information, and a critical flaw that could allow brute force attacks.

Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Related: Twitter Breach Exposed Anonymous Account Owners

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.