Mastodon, the decentralized social networking platform that emphasizes freedom and open-source principles, has recently addressed several vulnerabilities, including a critical one with potentially severe consequences. This particular vulnerability enabled hackers to exploit specially designed media files, allowing them to generate arbitrary files on the server. However, the Mastodon team has taken prompt action to patch these vulnerabilities and enhance the platform's security.
Mastodon is a software that facilitates the operation of self-hosted social networking services, and it is freely available and open-source. The platform encompasses microblogging functionalities, similar to those found on Twitter. Notably, Mastodon operates through numerous independent nodes, referred to as instances, each possessing its distinct set of guidelines, regulations, privacy preferences, and content moderation policies.
Instances contribute to a diverse ecosystem of interconnected social networks, providing users with a range of choices and experiences.
With a user base of approximately 8.8 million, Mastodon thrives on a network of 13,000 individual servers, also known as instances. These servers are hosted by dedicated volunteers who foster a sense of community while maintaining their unique identities.
The instances, although separate, are interconnected through federation, enabling diverse communities to coexist and interact with one another. This decentralized approach empowers users to choose the instance that aligns with their interests, fostering a vibrant and interconnected ecosystem within the Mastodon platform.
Independent auditors from Cure53 discovered and helped fix four vulnerabilities in Mastodon, as a result of their thorough assessments. Engaged by Mozilla to inspect Mastodon's code, Cure53 specializes in penetration testing for online services. The most critical vulnerability, known as TootRoot (CVE-2023-36460), allowed attackers an easy way to compromise servers.
Mastodon promptly addressed these vulnerabilities, highlighting their commitment to platform security and integrity.
The four vulnerabilities that Mastodon resolved included two critical-severity flaws. One of them, identified as CVE-2023-36459, involves a cross-site scripting (XSS) issue in oEmbed preview cards. This vulnerability allows bypassing HTML sanitization in the target browser, potentially leading to account hijacking, user impersonation, or unauthorized access to sensitive data.
The other critical-severity flaw, CVE-2023-36461, relates to a Denial of Service (DoS) vulnerability caused by slow HTTP responses. Additionally, CVE-2023-36462, also rated as high-severity, enables attackers to format a deceptive verified profile link for phishing purposes.
These four vulnerabilities impact Mastodon versions 3.5.0 onwards and have been addressed in the subsequent versions: 3.5.9, 4.0.5, and 4.1.3. Mastodon's timely patches demonstrate their commitment to ensuring the security of their platform.