Slash Boxes

SoylentNews is people

posted by janrinok on Thursday November 24, @12:12PM   Printer-friendly
from the lock-that-elephant-trunk-up-tight dept.

As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities:

As Mastodon experiences explosive user growth as a replacement for Twitter, infosec experts are pointing out security holes in the social media network. From an anonymous server collecting user information to configuration errors that create vulnerabilities, the increased popularity of the platform is leading to increased scrutiny of its flaws.

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other, but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on, a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on, a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on discovered an anonymous server that was scraping Mastodon user data.

Original Submission

This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by looorg on Thursday November 24, @01:18PM

    by looorg (578) on Thursday November 24, @01:18PM (#1281461)

    This should probably not come as a great surprise. When it was small and living in obscurity nobody probably bothered to look at it. Now that it becomes "popular" they do. With popularity comes people, and with people comes incentive to monitor or hack it.

    That each instance can install whatever they like, config it however they like probably doesn't help in that regard. That said I'm sure there might eventually be some standardization and configuration war so that someone that wants to put up their own server will probably download settings to fit into a network within the network so to speak. After all if this is done for fun and not profit one can probably not expect the same level of service as say Twitter that employ, or did, people to manage these things fulltime. That shouldn't be a surprise.

    Anonymous servers collecting information about users. That seems to happen with all projects that allow people to set up nodes or servers. TOR has/had the same issue as I recall it. If the userbase is large enough or the information interesting enough things will be monitored by someone.

  • (Score: 1) by Runaway1956 on Thursday November 24, @03:26PM (5 children)

    by Runaway1956 (2926) Subscriber Badge on Thursday November 24, @03:26PM (#1281490) Homepage Journal

    I thought he hijacked a Mastodon, put his name on it, then used it to censor opinions that differed from his own. That's not a great advertisement for Mastodon.

    "no more than 8 bullets in a round" - Joe Biden
    • (Score: 0, Redundant) by Anonymous Coward on Thursday November 24, @04:13PM

      by Anonymous Coward on Thursday November 24, @04:13PM (#1281496)

      Mastodon and all the other Fediverse software are open source, so what he did was fine. It talks using an open protocol (ActivityPub) and some Mastodon servers block the Parler instances with cries of "censorship and oppression!"

    • (Score: 5, Informative) by number11 on Thursday November 24, @08:16PM

      by number11 (1170) on Thursday November 24, @08:16PM (#1281520)

      Trump (or rather, his minions) did copy the software. Being OSS that's allowed, so long as Pravda Social gives credit, which after some tussle they started doing. Who knows, maybe Pravda will even make some improvement to the software that can be incorporated elsewhere. Not likely, but you never know. But Pravda is stand-alone, not part of the larger network, the Fediverse is unlikely to ever allow that.

      It's a little like the mass killer driving a Ford. It's not great for Ford, but it's not the point either.

    • (Score: 0) by Anonymous Coward on Friday November 25, @05:12PM (2 children)

      by Anonymous Coward on Friday November 25, @05:12PM (#1281608)

      I thought he hijacked a Mastodon, put his name on it, then used it to censor opinions that differed from his own. That's not a great advertisement for Mastodon.

      Not so much. Trump Social forked Mastodon for its own use, but didn't provide appropriate attribution []. That's not hijacking.

      it's just like someone buying a gun to hunt with. They keep it locked up separate from ammunition and take it out to go hunting. Then there's someone who buys a gun to sell to criminals so they can shoot people.

      The guns themselves didn't make those decisions, rather the people interacting with those guns did.

      The same is true for Mastodon. When and how it's used is up to the folks who use/manage it. The software isn't responsible for how it's used. If Trump Social (or anyone else) is censoring (or not censoring), that's not the fault of Mastodon, is it?

      In fact, since anyone can set up their own Mastodon instance (as compared with twitter, FB, IG, etc.), it's more egalitarian than other platforms.

      Or did you miss that part?

      • (Score: 2, Funny) by Runaway1956 on Friday November 25, @07:46PM (1 child)

        by Runaway1956 (2926) Subscriber Badge on Friday November 25, @07:46PM (#1281630) Homepage Journal

        So, basically, you're saying that anyone can set up a Mastodon instance, with which to harvest user data, and censor opinions that the administrator doesn't like. It isn't even necessary to make false claims of ownership, or authorship, or to even change the name of the Mastodon instance, like Trump did.

        Got it.

        "no more than 8 bullets in a round" - Joe Biden
        • (Score: 0) by Anonymous Coward on Saturday November 26, @04:17AM

          by Anonymous Coward on Saturday November 26, @04:17AM (#1281683)

          Pretty much, yes, at least as far as I understand it. But other Mastodon/fediverse instances don't have to connect to it and can actively block them. Gab did that. They started out setting up a Mastodon instance (this after raising almost $6M in donations to write their own software, then just picked the open source code out there), but the majority of instances in the fediverse blocked them, so they left the fediverse and supposedly wrote their own backend.

  • (Score: 4, Funny) by Snort on Thursday November 24, @03:45PM (4 children)

    by Snort (5141) on Thursday November 24, @03:45PM (#1281491)

    usenet with extra steps.

    • (Score: 1, Informative) by Anonymous Coward on Thursday November 24, @04:58PM (1 child)

      by Anonymous Coward on Thursday November 24, @04:58PM (#1281501)

      ... in the same way as Teams, Discord etc are really just IRC with a fancy UI.

      • (Score: 4, Insightful) by driverless on Friday November 25, @05:50AM

        by driverless (4770) on Friday November 25, @05:50AM (#1281545)

        Teams isn't IRC with a fancy UI, Teams is like... when a French-speaking manager tried to describe IRC to an English-speaking manager and they had to communicate mostly through gestures, and at the same time the English-speaking manager had various ideas about all sorts of cool features that were needed based on some stuff his daughter talked about wanting for her Android tablet, something he heard in a TED talk, and vague memories of playing with an iPad in an airport lounge a year or two back.

    • (Score: 2, Interesting) by Anonymous Coward on Thursday November 24, @05:00PM

      by Anonymous Coward on Thursday November 24, @05:00PM (#1281502)

      > usenet with extra steps.

      You're in good (err, fast) company, see: [] [warning, Privacy Badger reports 45 potential trackers blocked]

      I think that as Mastodon gets a more mainstream audience, we’ll see the process of spinning up a Mastodon server get easier. The third-party hosting service was flooded with demand over the weekend, clearly showing that people want to take part. If it keeps up, general-interest cloud hosting companies like Vultr and DigitalOcean will probably start promoting one-click Mastodon installs, for example, as they do for Ghost, Minecraft, and WordPress.

      But for folks who find this state of affairs confusing, yes, it is. But historically, social communities have looked much more like Mastodon than they have Twitter. Usenet was built in exactly the same way. So was Yahoo! Chat, ICQ, and IRC. Twitter’s main innovation, in many ways, is that it combines all of these people into one giant public feed and lets users find their people, building interesting conversations from the collisions that this unusual state of affairs created. Eventually algorithms helped with this, but they also made people more comfortable with those contours, and Twitter was only taking steps to resolve this with groups.

    • (Score: 3, Informative) by Magic Oddball on Saturday November 26, @11:16AM

      by Magic Oddball (3847) on Saturday November 26, @11:16AM (#1281712) Journal

      The only real similarity is that it's decentralized... Usenet servers were set up to mirror the contents of each others' public newsgroups (or a subset of them, in addition to any local groups) so users would still see roughly the same content regardless of which server they connected to. Server-level content controls only existed in the forms of a) ".moderated" versions of newsgroups and b) a small percentage of specialized Usenet servers that only mirrored newsgroups that matched their specialty (e.g. Christian news).

      Mastodon is seemingly set up more like email, in that you can connect with an individual or apparently join server-specific discussions, but servers do not echo content and searching across servers isn't possible. Further, the majority of Mastodon servers will only allow connections to other servers that enforce extremely strict censorship rules [], which is obviously very different from other decentralized services of the past.

  • (Score: 1, Redundant) by oumuamua on Thursday November 24, @05:14PM

    by oumuamua (8401) on Thursday November 24, @05:14PM (#1281504)

    Your startup will languish for users and almost die.
    But then one day a billionaire, who a lot of people hate, will buy your main competitor and then the people will flock in droves to your site!
    Security researchers who ignored your site before will point out security flaws.

  • (Score: 3, Interesting) by Username on Friday November 25, @09:09AM (1 child)

    by Username (4557) on Friday November 25, @09:09AM (#1281563)

    The whole point of social media is to let people scrape data. Why point it out?

    Yes, yes, a researcher discovered that anonymous was siphoning free water from a public well. Also a researcher discovered anonymous was walking down the sidewalk in broad daylight looking at other people on the sidewalk. A researcher also discovered anonymous was at a flea market and was looking at everything people were selling, but did not buy anything.

    Should anonymous be allowed to exist? What will he do with this information? We need to control him or he might use the public information we give out against us!

    • (Score: 2) by maxwell demon on Friday November 25, @08:34PM

      by maxwell demon (1608) Subscriber Badge on Friday November 25, @08:34PM (#1281641) Journal

      More importantly: Can that Mastodon instance scrape any data from other Mastodon instances that could not be scraped from the web interface instead? Because if not, I don't see the point; that data is already in the open, and web scraping certainly is possible. Otherwise, I wonder why the servers share that data in the first place.

      The Tao of math: The numbers you can count are not the real numbers.