Security Experts:

Connect with us

Hi, what are you looking for?



Security Researchers Looking at Mastodon as Its Popularity Soars

Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.

Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.

After Elon Musk acquired Twitter, he made a series of significant changes, including firing staff and modifying features, which have had a negative impact on the platform’s security. This has led to a Twitter security chief resigning and the FTC saying that they were deeply concerned.

Vulnerabilities and other security issues found in MastodonMany Twitter users have been looking at alternatives and one of them has been Mastodon, which over the weekend reported passing more than 2 million active monthly users, with hundreds of thousands of new users signing up every week since Musk officially took over Twitter.

Mastodon has a user interface similar to Twitter, but unlike Twitter, it’s not owned by a single company. Instead, Mastodon is a free and open source software for running self-hosted social networking services.

There are thousands of individual but interconnected Mastodon servers, called instances, that users can join. Unlike Twitter, where rules decided by the company are enforced across the entire platform, each of the Mastodon instances has its own content rules.

[ READ: Can Elon Musk Spur Cybersecurity Innovation at Twitter? ]

Much of the cybersecurity community has joined the ‘’ instance on Mastodon and some researchers have already started identifying issues, including ones specific to this server and ones that could impact the entire platform.

Gareth Heyes, a researcher at PortSwigger, discovered earlier this month that the instance was affected by an HTML injection vulnerability that could have been exploited to steal users’ credentials.

The attack involved abusing Chrome’s autofill feature to steal users’ stored credentials by getting the targeted user to click on a malicious element on a page.

The issue affected a Mastodon fork named Glitch and it existed due to an HTML attribute allowed only by the developers of this fork. A patch has been released.

Lenin Alevski, a researcher working for MinIO, also discovered a potentially serious issue in this month. He identified a misconfiguration that could have been exploited to download all the files on the server, including files shared through direct messages. He could also delete all the files on the server, and replace existing files, such as profile pictures.

The administrator of the server quickly addressed the issue, but Alevski found similar problems on a couple of other popular Mastodon instances as well.

Researcher Anurag Sen reported on November 15 that he discovered someone scraping user data from Mastodon. Sen found an unprotected database storing the information of more than 150,000 users and the scraping process appeared to be ongoing. The collected data includes display name, account name, following/followers count, and the date and time of the last status update.

According to HackRead, the database, which appears to belong to a third party, can be accessed without authentication and the researcher could not determine who it belongs to.

A few other vulnerabilities have been found and fixed in Mastodon earlier this year, including a high-severity issue that could allegedly allow a remote attacker to gain unauthorized access to sensitive information, and a critical flaw that could allow brute force attacks.

Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Related: Twitter Breach Exposed Anonymous Account Owners

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet