Four vulnerabilities in the microblogging platform Mastodon were patched late last week, sparking new questions about the decentralized platform’s security, with overtones of the open source debates of yesteryear.
Security advisories published to GitHub by Mastodon founder Eugen Rochko included cross-site scripting (XSS), arbitrary file creation, and denial-of-service (DoS) vulnerabilities, as well as a weakness enabling attackers to arbitrarily hide parts of URLs. Using the CVSS standard, the bugs were assigned scores ranging from 5.4 (moderate) to 9.9 out of 10 (critical).
All four have since been patched, but the threat isn’t yet averted. Writing of the 9.9 out of 10-severity file creation bug, one security researcher noted that “a significant percentage” of users and organizations hosting Mastodon servers “haven’t patched, and this one is very likely to see in the wild exploitation. Widespread exploitation across many instances is as simple as sending a single toot,” Mastodon’s version of a tweet.
The critical bug, dubbed TootRoot by researchers, has been designated as CVE-2023-36460.
Mastodon’s security challenges may inspire some to look back on Twitter’s less than stellar history of cybersecurity with rose-colored glasses. Indeed, the platform’s decentralized nature introduces new kinds of security concerns for a social platform. But experts say there’s no need to overreact.
“My view is: It’s a day in the life of running an Internet platform company,” says Bryan Ware, chief development officer at ZeroFox. “The bugs aren’t good, but they’re typical. I think the difference here is it’s an open source project. So we see it very visibly, and there’s not a marketing department trying to say no, no, it’s not so bad.”
Is Mastodon Insecure?
Mastodon is not new to security issues. Researchers have uncovered straightforward vulnerabilities like HTML injection and more systemic issues like server misconfiguration. Attackers have begun testing the waters, as well, as was the case last November, when a mysterious server was spotted scraping data from hundreds of thousands of Mastodon users.
At the heart of the matter is Mastodon’s decentralized structure. Rather than being run by a single company, users and organizations run and subscribe to their own Mastodon servers (“instances”). “Since instances are operated independently and can have different levels of security practices, the overall security of the federated network can be influenced by the weakest link,” Callie Guenther, cyber-threat research senior manager at Critical Start, points out. “Instances with lax security measures or outdated software versions could potentially become targets for attackers and compromise the security of their users.”
An attacker could exploit a vulnerable account or instance “to gain unauthorized access to sensitive information, perform denial-of-service attacks, execute arbitrary code, or engage in social engineering attacks like phishing or cross-site scripting,” she continues. “In an enterprise setting, it could include unauthorized access to confidential business data, disruption of communication and collaboration, compromise of user accounts leading to data breaches, or reputational damage if the enterprise’s Mastodon instance becomes known for security vulnerabilities.”
Randy Pargman, director of threat detection at Proofpoint, emphasizes the unique risk in enterprise account takeover, since hackers “are likely to download copies of direct messages and possibly send public posts from the enterprise account to cause embarrassment or advance a scam.”
And then there are more interesting case scenarios. “There’s a chance you could compromise a server that is part of this distributed network, and through that compromise extend it across the ecosystem, almost like a supply chain compromise,” Ware says. In this way, what should be an advantage to the decentralized model — no single point of failure from which all user data or access controls could leak — is nullified to a degree because, Ware notes, “you don’t necessarily have to compromise Mastodon directly, or Instagram Threads directly, if you can compromise a federated server.”
Onus on Users to Protect Mastodon
The first line of defense for Mastodon, Pargman explains, is the users themselves. “Many Mastodon instances are managed by one person or a small group of volunteers, so it’s up to those people and their availability to get patches deployed quickly, as well as investigate potential incidents to determine if an attacker has gained unauthorized access to a server after the fact.”
Volunteers may have less incentive and time to dedicate to scanning, patching, or bug hunting. Mastodon’s most recent bugs were only discovered thanks to a commissioned audit by Mozilla. Elsewhere, the EU has commissioned bug bounties for the platform, but its prizes of up to $5,000 don’t compare to what any social media titan can offer. It’s the same problem faced by any open source project.
On the flip side, Ware points out, “when everything’s distributed, there are lots of eyes and hands looking to find and fix problems, and a lot of transparency in what those problems may be. Versus a platform that’s proprietary and closed, and you have to trust that they’re taking all of the efforts that they should take.”
Ultimately, Mastodon users will need to take more care of their own security than users of more conventional platforms.
“To mitigate such risks,” Guenther says, “enterprises should ensure that they keep their Mastodon installations up to date with the latest patches and security updates, implement strong access controls, enforce secure authentication mechanisms, regularly monitor for suspicious activities, and provide security awareness training to their employees.”
For his part, Pargman emphasizes post-breach remediation. “It’s important to plan for how long it would take to recover control of a compromised account, and what process the server operator has put in place (if any) for verifying an account owner’s identity to regain control,” he says.
“For most people using social media,” he adds, “security is something they only think about seriously after they’ve experienced a security incident.” Mastodon users may need to be more proactive than their brethren on other platforms, but the benefits of no advertising and stellar privacy may just be worth it.