The Twitter and Mastodon app logos are seen in this photo illustration in Warsaw, Poland on 12 ... [+]
Earlier this week, cybersecurity researchers put the Twitter alternative Mastodon under the microscope and found that the decentralized social media platform had numerous vulnerabilities and other security issues. Mastodon has seen a surge in users since tech entrepreneur Elon Musk took control of Twitter, as many have taken issue with Musk's policies as well as his reinstatement of controversial figures including former President Donald Trump.
Though the interface is similar to Twitter, it isn't run by a single entity or company. Instead, it operates as a free and open-source platform that runs self-hosted social network services, SecurityWeek reported.
As a result, there are thousands of individual but interconnected Mastodon servers, called "instances" that users can join. The rules can vary on these different servers, but a bigger concern for users should be the seemingly lax security.
Vulnerabilities Discovered
Researchers have already discovered an HTML injection vulnerability that could be used to steal users' credentials, while another exploit was found that could allow a hacker to download all the files on a server including shared photos sent via direct messages.
"Mastodon has quickly emerged as the destination of choice for many who've opted to leave Twitter in recent weeks," said Melissa Bischoping, director and endpoint security research specialist at Tanium.
Via an email, she said that the open-source, decentralized platform has many advantages and the growth in popularity will hopefully lead to additional features and functionality as the open-source platform continues to mature.
"That said, those joining Mastodon should not consider it a like-for-like Twitter replacement, and should be aware of the unique features of the "Fediverse,'" Bischoping noted.
"Mastodon isn't the panacea many people fleeing Twitter May think it is," warned David Maynor, senior director of Threat Intelligence at security research firm Cybrary, via an email.
"While it's been an open-source project for years, it never came close to the server load and scrutiny it has recently," added Maynor, who further suggested that many critical bugs have been easily discovered with vulnerability scanners.
Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model.
Maynor cautioned those looking to make a clean break from Twitter.
"My moving advice is firmly 'buyer beware,'" he continued.
Decentralized Platform Comes With Risks
At issue is literally how Mastodon was devised. Each instance is managed by an administrator, who has control over the infrastructure and the software running on the servers.
"This means that you are placing trust in the administrators to secure and maintain their instance, and trusting they will protect your account," said Bischoping.
Yet, because many of these instances are run by small entities or individual operators without large budgets or security teams, users should not assume that any instance is secure or private.
"This doesn't mean you shouldn't use it, but it does mean you should not assume any data shared there is encrypted or protected from theft or seizure by law enforcement," Bischoping continued. "Treat the 'Fediverse' and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop."
In short, Bischoping suggested that Mastodon shouldn't replace other forms of communication, such as more secure email, or encrypted peer-to-peer messaging.
It shouldn't be used "to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," Bischoping added. "Given the potential for vulnerabilities and exploitation, follow the best practices for account management – unique passwords and multi-factor authentication. Lastly, many instances have been set up specifically for the purpose of testing security and reporting bugs and vulnerabilities, so the ethical hacking and bug hunting community can continue to contribute and improve security of the platform as its popularity grows."
