Researchers from cybersecurity firm Mastodon discovered that Mastodon’s decentralized alternative to Twitter had many security vulnerabilities. Mastodon’s users have increased since Elon Musk, a tech entrepreneur took over Twitter. Many are unhappy with Musk’s policies and his decision to reinstate controversial figures like former President Donald Trump.
While the interface may look similar to Twitter, it’s not managed by any single company or entity. SecurityWeek reports that it is a self-hosted, open-source social network platform.
There are many Mastodon servers that can be joined by users, each one interconnected, and they’re called instances. While the rules might differ on different servers, the most important concern should be that users are not privy to any security breaches.
Researchers already found an HTML injection vulnerability, which can be used to steal user credentials. A second exploit that could let hackers download every file on a server and even photos shared via direct messages was also discovered by researchers.
Melissa Bischoping is Tanium’s director of endpoint security research and specialist in Mastodon.
She stated via email that open-source and decentralized platforms have many benefits and will continue to grow in popularity.
Boschoping said that Mastodon members should not be mistaken for a Twitter replacement and they should know about the special features in the “Fediverse”.
David Maynor, Cybrary’s senior threat intelligence director, said via email, “Mastodon may not be the panacea that many people fleeing Twitter May believe it is,”
Maynor added that, “While it was an open-source project over many years, it never got close to the server load or scrutiny it has lately.” He also suggested that vulnerability scanners have helped identify critical bugs.
Apart from the code itself, Mastodon’s segmentation means that only one or two individuals can administer an instance of Mastodon.
Maynor warned those who want to quit Twitter.
His final words were: “Buyer beware!”
The Decentralized Platform Has Its Risks
The issue here is how Mastodon was created. Administrators manage each instance. They have control of the infrastructure as well as the software on the servers.
Boschoping explained that this means you trust the administrators to protect and preserve their instances and your account.
However, many instances run by individuals or small companies without security budgets and staff, so users shouldn’t assume they are secure.
Boschoping stated that you don’t need to use it. But it doesn’t mean you should assume all data sent there is secure from theft, seizure or destruction by law enforcement. You should treat the Mastodon instance and the “Fediverse” as places to exchange information, connect, collaborate, just like you would do it in person at a public square or coffee shop.
Boschoping argued that Mastodon should not be used in place of other communication methods, like encrypted peer-to–peer messaging or more secure email.
Boschoping said that the password should never be used to send “sensitive, personal or private information” which you would not feel comfortable sharing publically. “Given the potential for vulnerabilities and exploitation, follow the best practices for account management – unique passwords and multi-factor authentication. Finally, numerous instances were set up to report vulnerabilities and test security. As the platform becomes more popular, the community of ethical hackers and bug hunters can contribute their expertise and help improve the security.