Critical Vulnerability in Mastodon Social Network Allows Account Takeovers

February 3, 2024

Mastodon, a decentralized social networking platform, has patched a critical vulnerability, identified as CVE-2024-23832, that could allow attackers to impersonate and seize control of any user's account. The platform, which has gained popularity since Elon Musk's acquisition of Twitter, now hosts nearly 12 million users across 11,000 instances. These instances, or servers, are autonomous yet interconnected communities, each with its own set of rules and policies, managed by owners who provide the infrastructure and act as server administrators.

The vulnerability, rated 9.4 on the CVSS v3.1 scale, originated from insufficient origin validation in Mastodon, enabling attackers to impersonate users and take over their accounts. This flaw affects all versions of Mastodon prior to 3.5.17, 4.0.13, 4.1.13, and 4.2.5. As of version 4.2.5, released recently, the issue has been resolved, and all server administrators on Mastodon are strongly advised to upgrade to this version as soon as possible to safeguard their users.

For the time being, Mastodon has not released the technical details of the vulnerability to prevent its active exploitation. However, they have pledged to disclose more information about CVE-2024-23832 on February 15, 2024. Although users cannot directly address this security risk, they should ensure that the administrators of their instance have upgraded to a secure version by mid-February to prevent their accounts from being hijacked.

Mastodon has taken proactive measures to alert server administrators about the critical update via a conspicuous banner, ensuring that all actively maintained instances should become aware of the update and transition to the secure version in the coming days. The consequences of account impersonation and takeover on Mastodon could be significant, affecting individual users, communities, and the platform's integrity, making CVE-2024-23832 a severe flaw.

In July 2023, the Mastodon team addressed another critical bug, CVE-2023-36460, also known as 'TootRoot,' which allowed attackers to send 'toots' (equivalent to tweets) that could create web shells on target instances. This flaw could potentially give attackers total control over Mastodon servers, granting them access to sensitive user information, communications, and the ability to plant backdoors.

Related News

• Mastodon Patches Critical TootRoot Bug and Other Vulnerabilities

Latest News

• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
• CISA Instructs Federal Agencies to Disconnect Ivanti VPN Instances Amidst Zero-Day Exploits
• FritzFrog Botnet Targets Unpatched Internal Hosts via Log4Shell Exploitation
• Apple Addresses Vision Pro Security Flaw, CISA Highlights iOS Vulnerability Exploitation
• Global Container Escapes Enabled by 'Leaky Vessels' Cloud Bugs