Mastodon’s growing popularity, partly as a side effect of Elon Musk’s purchase of Twitter, has sparked a wave of vulnerability discoveries in the app.
Cybersecurity researchers using the platform recently discovered three separate vulnerabilities that could allow cybercriminals to manipulate data and even download it.
For example, PortSwigger researcher Gareth Heyes discovered an HTML injection vulnerability. MinIO security software engineer Lenin Alevski discovered a system misconfiguration that allowed him to download, modify, and even delete everything in the Mastodon instance’s S3 cloud storage container, and Anurag Sen found an anonymous server collecting Mastodon user data.
Thousands of new users
Whenever there is a tectonic movement on a social media platform, some users decide it is best to move elsewhere.
Elon Musk’s recent Twitter acquisition is no different, with some reports claiming that Mastodon had as many as 30,000 new users arriving every day in the days leading up to the acquisition (up from the usual 2,000 per day). On November 7, Mastodon gained 135,000 new people.
Rising popularity also means increased control, which isn’t necessarily a bad thing. Mastodon has always been seen as a good alternative to Twitter, and discovering and fixing various security vulnerabilities can only make it a stronger competitor.
Unlike the blue bird, Mastodon is a decentralized social platform consisting of a series of servers that can communicate with each other, but essentially run separately, with separate rules and configurations. These servers and communities are called instances.
In an interview with the publication, Melissa Bischoping, Director of Endpoint Security (opens in a new tab) a research specialist at Tanium warned users against sharing sensitive data (opens in a new tab) via the platform.
“Do not use Mastodon to send sensitive, personal or private information that you wouldn’t feel comfortable posting publicly anyway,” she said.
By: Dark reading (opens in a new tab)