Security experts are laying Mastodon’s flaws bare
>
The rising popularity of Mastodon, in part as a side effect of Elon Musk’s purchase of Twitter, has led to a flurry of discovery of vulnerabilities in the app.
Cybersecurity researchers using the platform recently discovered three separate vulnerabilities that allowed threat actors to tamper with and even download the data.
For example, a researcher at PortSwigger, Gareth Heyes, discovered an HTML injection vulnerability. A MinIO security software engineer, Lenin Alevski, discovered a misconfiguration of the system that allowed him to download, modify, and even delete everything in the S3 cloud storage bucket of a Mastodon instance, and Anurag Sen found an anonymous server scraping Mastodon user data .
Thousands of new users
Whenever there is tectonic movement on a social media platform, some users decide it’s best to just go elsewhere.
Elon Musk’s recent Twitter acquisition is no different, with some reports claiming that Mastodon has had as many as 30,000 new users each day, in the days leading up to the acquisition (up from the usual 2,000 per day). On November 7, Mastodon gained 135,000 new people.
Increasing popularity also means more scrutiny, which isn’t necessarily a bad thing. Mastodon has always been seen as a good alternative to Twitter, and discovering and fixing several vulnerabilities can only make it a stronger competitor.
Unlike the blue bird, Mastodon is a decentralized social platform, consisting of a series of servers that can communicate with each other, but are essentially managed separately, with separate rules and configurations. These servers and communities are called instances.
In conversation with the publication, Melissa Bisshoping, Director and Endpoint Security (opens in new tab) research specialist at Tanium warned users against sharing sensitive data (opens in new tab) through the platform.
“Don’t use Mastodon to send sensitive, personal or private information that you wouldn’t feel comfortable making public anyway,” she said.
Through: Read dark (opens in new tab)