CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Security Researchers Looking at Mastodon as Its Popularity Soars

Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.

Cybersecurity researchers are increasingly looking at Mastodon now that the decentralized social media platform’s popularity has soared, and they have started finding vulnerabilities and other security issues.

After Elon Musk acquired Twitter, he made a series of significant changes, including firing staff and modifying features, which have had a negative impact on the platform’s security. This has led to a Twitter security chief resigning and the FTC saying that they were deeply concerned.

Vulnerabilities and other security issues found in MastodonMany Twitter users have been looking at alternatives and one of them has been Mastodon, which over the weekend reported passing more than 2 million active monthly users, with hundreds of thousands of new users signing up every week since Musk officially took over Twitter.

Mastodon has a user interface similar to Twitter, but unlike Twitter, it’s not owned by a single company. Instead, Mastodon is a free and open source software for running self-hosted social networking services.

There are thousands of individual but interconnected Mastodon servers, called instances, that users can join. Unlike Twitter, where rules decided by the company are enforced across the entire platform, each of the Mastodon instances has its own content rules.

[ READ: Can Elon Musk Spur Cybersecurity Innovation at Twitter? ]

Much of the cybersecurity community has joined the ‘Infosec.exchange’ instance on Mastodon and some researchers have already started identifying issues, including ones specific to this server and ones that could impact the entire platform.

Gareth Heyes, a researcher at PortSwigger, discovered earlier this month that the Infosec.exchange instance was affected by an HTML injection vulnerability that could have been exploited to steal users’ credentials.

The attack involved abusing Chrome’s autofill feature to steal users’ stored credentials by getting the targeted user to click on a malicious element on a page.

Advertisement. Scroll to continue reading.

The issue affected a Mastodon fork named Glitch and it existed due to an HTML attribute allowed only by the developers of this fork. A patch has been released.

Lenin Alevski, a researcher working for MinIO, also discovered a potentially serious issue in Infosec.exchange this month. He identified a misconfiguration that could have been exploited to download all the files on the server, including files shared through direct messages. He could also delete all the files on the server, and replace existing files, such as profile pictures.

The administrator of the Infosec.exchange server quickly addressed the issue, but Alevski found similar problems on a couple of other popular Mastodon instances as well.

Researcher Anurag Sen reported on November 15 that he discovered someone scraping user data from Mastodon. Sen found an unprotected database storing the information of more than 150,000 users and the scraping process appeared to be ongoing. The collected data includes display name, account name, following/followers count, and the date and time of the last status update.

According to HackRead, the database, which appears to belong to a third party, can be accessed without authentication and the researcher could not determine who it belongs to.

A few other vulnerabilities have been found and fixed in Mastodon earlier this year, including a high-severity issue that could allegedly allow a remote attacker to gain unauthorized access to sensitive information, and a critical flaw that could allow brute force attacks.

Related: Peiter ‘Mudge’ Zatko: The Wild Card in Musk’s Clash With Twitter

Related: Twitter Breach Exposed Anonymous Account Owners

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.