Security Flaws Discovered in Twitter Alternative Mastodon

It has been a busy couple of weeks at Twitter HQ, to put it lightly. Elon Musk’s purchase of the social media giant has been followed by mass layoffs, resignations, the reinstatement of previously banned users and several questionable UX decisions.

With Twitter facing one controversy after another, over a million people have quit the site – many of whom are now seeking refuge in the rival Mastodon.

The microblogging competitor was created six years ago as a radical alternative to the existing social media landscape. It is open source and decentralised, meaning that it isn’t controlled by a single corporation.

Meanwhile it uses community-based moderation in which certain sections of the platform create their own rules on content that’s permitted.

It sounds ideal for critics of Twitter’s dwindling moderation, and the site is starting to gain major traction. In an interview with the New Yorker, Mastodon’s founder, Eugen Rochko, said that the site has grown from 300,000 monthly active users a few months ago to nearly two million.

But before we crown Mastodon as the saviour of social media, we must acknowledge that it has its own problems.

The site has come under scrutiny from cyber security researchers since it was thrust into the limelight, and they have discovered several vulnerabilities that could expose users to a host of problems.

‘Not a panacea’

In an article published earlier this week, Forbes spoke to several experts who discussed security problems with Mastodon’s structure and potential weaknesses in its code.

David Maynor, the senior director of threat intelligence at Cybrary, warned: “Mastodon isn’t the panacea many people fleeing Twitter may think it is.”

For example, researchers have discovered a pair of vulnerabilities that could be used to steal users’ login credentials and download files, including shared photos sent via direct messages.

Maynor cautioned those who are moving to Mastodon as an alternative to Twitter. “My moving advice is firmly ‘buyer beware’,” he said.

Melissa Bischoping, the director and endpoint security research specialist at Tanium, added: “Those joining Mastodon should not consider it a like-for-like Twitter replacement, and should be aware of [its] unique features.”

She is referring to potential weaknesses in the way that Mastodon is designed. The site is segmented into ‘instances’, which are individually managed parts of the site. Administrators create the rules for each ‘instance’, but they’re also responsible for the infrastructure and software of each part of the site.

“This means that you are placing trust in the administrators to secure and maintain their instance, and trusting they will protect your account,” said Bischoping.

“This doesn’t mean you shouldn’t use [Mastodon], but it does mean you should not assume any data shared there is encrypted or protected from theft or seizure by law enforcement,” she continued.

Bischoping concludes by saying that Mastodon shouldn’t be used “to send sensitive, personal, or private information you wouldn’t be comfortable posting publicly anyway”.

“Given the potential for vulnerabilities and exploitation, follow the best practices for account management – unique passwords and multi-factor authentication.

“Lastly, many instances have been set up specifically for the purpose of testing security and reporting bugs and vulnerabilities, so the ethical hacking and bug hunting community can continue to contribute and improve security of the platform as its popularity grows.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.