Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.
After Elon Musk acquired Twitter, he made a series of significant changes, including firing staff and modifying features, which have had a negative impact on the platform’s security. This has led to a Twitter security chief resigning and the FTC saying that they were deeply concerned.
Many Twitter users have been looking at alternatives and one of them has been Mastodon, which over the weekend reported passing more than 2 million active monthly users, with hundreds of thousands of new users signing up every week since Musk officially took over Twitter.
Mastodon has a user interface similar to Twitter, but unlike Twitter, it’s not owned by a single company. Instead, Mastodon is a free and open source software for running self-hosted social networking services.
There are thousands of individual but interconnected Mastodon servers, called instances, that users can join. Unlike Twitter, where rules decided by the company are enforced across the entire platform, each of the Mastodon instances has its own content rules.
[ READ: Can Elon Musk Spur Cybersecurity Innovation at Twitter? ]
Much of the cybersecurity community has joined the ‘Infosec.exchange’ instance on Mastodon and some researchers have already started identifying issues, including ones specific to this server and ones that could impact the entire platform.
Gareth Heyes, a researcher at PortSwigger, discovered earlier this month that the Infosec.exchange instance was affected by an HTML injection vulnerability that could have been exploited to steal users’ credentials.
The attack involved abusing Chrome’s autofill feature to steal users’ stored credentials by getting the targeted user to click on a malicious element on a page.
The issue affected a Mastodon fork named Glitch and it existed due to an HTML attribute allowed only by the developers of this fork. A patch has been released.
Lenin Alevski, a researcher working for MinIO, also discovered a potentially serious issue in Infosec.exchange this month. He identified a misconfiguration that could have been exploited to download all the files on the server, including files shared through direct messages. He could also delete all the files on the server, and replace existing files, such as profile pictures.
The administrator of the Infosec.exchange server quickly addressed the issue, but Alevski found similar problems on a couple of other popular Mastodon instances as well.
Researcher Anurag Sen reported on November 15 that he discovered someone scraping user data from Mastodon. Sen found an unprotected database storing the information of more than 150,000 users and the scraping process appeared to be ongoing. The collected data includes display name, account name, following/followers count, and the date and time of the last status update.
According to HackRead, the database, which appears to belong to a third party, can be accessed without authentication and the researcher could not determine who it belongs to.
A few other vulnerabilities have been found and fixed in Mastodon earlier this year, including a high-severity issue that could allegedly allow a remote attacker to gain unauthorized access to sensitive information, and a critical flaw that could allow brute force attacks.
Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
