A security researcher have discovered numerous vulnerabilities and configuration issues on the social media platforms Mastodon. The increased popularity of the platform is leading to increased scrutiny of its flaws.
Mastodon is a federation of servers that can communicate with each other, but which are maintained and run separately by independent admins.
That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.
Infosec. exchange instances of Mastodon were uploaded to storage buckets that failed to apply access controls. An attacker to access a user’s profile picture or any other uploaded data and replace it with arbitrary content.
The vulnerability also meant it was possible to download files from the server – including those shared by direct message (DMs on Mastodon, unlike Twitter, omit encryption). Destructive attacks, including the deletion of files on the server, were also possible.
The security shortcoming – which opened the door to all manner of misuse – was quickly addressed after reporting the issue to Jerry Bell, the sys admin who administers the infosec. exchange instance of Mastodon.