Mastodon, the leading Twitter alternative, was found to have a high severity vulnerability that hackers could have used to impersonate people and take over their accounts.
The flaw is tracked as CVE-2024-23832 and has a severity rating of 9.4. It affects all versions of Mastodon prior to 3.5.17, 4.0.13 and 4.2.5.
The vulnerability has now been fixed and administrators are advised to apply it without delay. Specific details about the flaw are currently being withheld as Mastodon wants to give administrators enough time to patch. The project promised to share more information on February 15. beepcomputer reports.
Decentralization and patches
For those who don't know, Mastodon is an open source, decentralized social media platform, which rose to (relative) prominence after Elon Musk bought Twitter.
Out of “fear” of radical changes on Twitter, many people flocked to Mastodon, which is now reportedly home to 12 million users.
Mastodon works on the basis of instances: communities with unique guidelines and policies, governed by their administrators. The instances are then interconnected in a system Mastodon calls a “federation.”
Being decentralized also makes it somewhat more difficult to patch. Each administrator needs to patch their own instance and Mastodon has placed a large banner on each server to alert administrators. They have until mid-February to protect their users, after which their accounts will be vulnerable to the hijacking bug.
Mastodon may not be the powerhouse of Twitter, but its user base is not insignificant. As such, threat actors are also looking for possible vulnerabilities in the platform. Last summer, the project fixed a critical vulnerability identified as CVE-2023-36460, called “TootRoot.” This flaw allowed threat actors to send “toots” (posts) that could create web shells on target instances. The flaw gave attackers full control over the vulnerable server, including access to sensitive user information.