Vulnerability in Mastodon Could Let Hackers Hijack Accounts
Mastodon, an open source and decentralized social media platform, is currently in the midst of a security alert. Cybersecurity experts have disclosed a critical vulnerability, dubbed CVE-2024-23832, that leaves millions of accounts at risk of being hijacked by malicious actors.
The flaw scored a 9.4 out of 10 on the Common Vulnerability Scoring System (CVSS), and it stems from insufficient origin validation in all Mastodon. This makes it possible for attackers to impersonate legitimate users and gain unauthorized access.
This issue affects all versions of Mastodon prior to 3.5.17, as well as 4.0.x versions prior to 4.0.13, 4.1.x versions prior to 4.1.13, and 4.2.x versions prior to 4.2.5. Attackers exploiting this flaw could carry out a range of unauthorized actions, including posting content, accessing private messages, and altering account settings without the owner's knowledge or consent.
Mastodon has gained popularity as an alternative to mainstream social networks, particularly following Elon Musk's acquisition of X (formally Twitter). It operates on a decentralized model with thousands of independent servers hosting diverse communities. While offering a unique blend of autonomy and privacy, this structure complicates the application of security updates, as each server or "instance" is managed independently.
In response to the threat, Mastodon's development team has released a patch to close the security loophole and urged all server administrators to update their instances to the latest version. In an effort to prevent exploitation by hackers, detailed information about the vulnerability has been withheld until February 15, 2024, providing administrators with a window to secure their servers.
The swift uptake of the patch, as reported by fediverse network stat collector FediDB, indicates a strong and proactive response within the Mastodon community. More than half of all active servers were updated within a day of the advisory being issued, showcasing the effectiveness of Mastodon's communication channels and the vigilance of its user base.