Critical Vulnerability in Mastodon Social Network Allows Account Takeovers
February 3, 2024
Mastodon, a decentralized social networking platform, has patched a critical vulnerability, identified as CVE-2024-23832, that could allow attackers to impersonate and seize control of any user's account. The platform, which has gained popularity since Elon Musk's acquisition of Twitter, now hosts nearly 12 million users across 11,000 instances. These instances, or servers, are autonomous yet interconnected communities, each with its own set of rules and policies, managed by owners who provide the infrastructure and act as server administrators.
The vulnerability, rated 9.4 on the CVSS v3.1 scale, originated from insufficient origin validation in Mastodon, enabling attackers to impersonate users and take over their accounts. This flaw affects all versions of Mastodon prior to 3.5.17, 4.0.13, 4.1.13, and 4.2.5. As of version 4.2.5, released recently, the issue has been resolved, and all server administrators on Mastodon are strongly advised to upgrade to this version as soon as possible to safeguard their users.
For the time being, Mastodon has not released the technical details of the vulnerability to prevent its active exploitation. However, they have pledged to disclose more information about CVE-2024-23832 on February 15, 2024. Although users cannot directly address this security risk, they should ensure that the administrators of their instance have upgraded to a secure version by mid-February to prevent their accounts from being hijacked.
Mastodon has taken proactive measures to alert server administrators about the critical update via a conspicuous banner, ensuring that all actively maintained instances should become aware of the update and transition to the secure version in the coming days. The consequences of account impersonation and takeover on Mastodon could be significant, affecting individual users, communities, and the platform's integrity, making CVE-2024-23832 a severe flaw.
In July 2023, the Mastodon team addressed another critical bug, CVE-2023-36460, also known as 'TootRoot,' which allowed attackers to send 'toots' (equivalent to tweets) that could create web shells on target instances. This flaw could potentially give attackers total control over Mastodon servers, granting them access to sensitive user information, communications, and the ability to plant backdoors.
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.
By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.
Accelerate Security Teams
Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.