Skip links

Critical vulnerability in Mastodon is pounced upon by fast-acting admins

Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers.

With a 9.4 severity score, exploiting CVE-2024-23832 potentially allows attackers to take over Mastodon accounts remotely. 

While very little has been released by way of technical details – allowing admins time to patch before attackers devise exploits – vulnerabilities with such high CVSS scores tend to lead to severe consequences on the affected product and are often relatively easy to exploit.

“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” said Eugen Rochko, CEO and lead developer at Mastodon, in a security advisory.

“Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.”

Rochko said that full details of the vulnerability will be published on February 15, giving admins two weeks to upgrade to the latest version. He said that the disclosure of “any amount of detail would make it very easy to come up with an exploit.”

Mastodon is a decentralized social network, meaning it runs on separate servers, independently owned and operated by their respective administrators.

Although this brings benefits like enabling specific rules and restrictions for different communities, it also means each must be updated by the admins individually. It’s not a case where the entire platform can go down for maintenance for an hour and everything is fixed.

“The underlying engineering of the Mastodon platform is different than other social media networks in that it is a decentralized system,” said Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems. 

“Each instance of Mastodon is hosted separately from all others, and while there are common links to allow moving between instances, they are separate, owned, and operated by different people, with different teams managing the security of each. For this reason, each instance of Mastodon requires an economy-of-scale to support its operations, including people to manage infrastructure and security engineering. 

“This is one of the major trade-offs between Mastodon and a centralized social media company like Meta or Instagram, there’s just not the same investment in security because there’s not massive revenue supporting the platform, and each owner of an instance has to perform security management on their own. 

“There aren’t enough details here yet to say exactly why Mastodon is vulnerable and other platforms aren’t but different source code repositories won’t share vulnerabilities unless there is an inherent flaw in one of the open-source packages that are shared between both products.”

The good news for Mastodon users is that more than half of all active servers have already upgraded to the latest version in the space of a day, according to data from fediverse network stat collector FediDB.

Such a fast patch rate was likely the product of how well the Mastodon community publicized the matter. Not only was Rochko’s advisory shared across different instances rapidly, but as screenshots of admin panels show, the platform itself also plastered clear warnings, making it fairly difficult to escape the urgent need to update.

A quick scan of the security advisory history at Mastodon shows this isn’t the only security issue the platform has had to patch over the past year, with two critical bugs, CVE-2023-36460 and CVE-2023-36459, emerging in July 2023.

Both were reported by German pentesting outfit Cure53 during a Mozilla-requested audit. The first scored a near-maximum 9.9 severity rating and involved the abuse of Mastodon’s media processing code. 

Using specially crafted media files could have allowed attackers to create or overwrite any files, allowing for denial of service or remote code execution.

The second involved bypassing Mastodon’s HTML sanitization to include malicious code in preview cards.

“This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user’s browser when a preview card for a malicious link is clicked through,” the advisory reads. ®