Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday November 24, @12:12PM   Printer-friendly
from the lock-that-elephant-trunk-up-tight dept.

As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities:

As Mastodon experiences explosive user growth as a replacement for Twitter, infosec experts are pointing out security holes in the social media network. From an anonymous server collecting user information to configuration errors that create vulnerabilities, the increased popularity of the platform is leading to increased scrutiny of its flaws.

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other, but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is infosec.exchange, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on infosec.exchange), a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on infosec.exchange), a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on infosec.exchange) discovered an anonymous server that was scraping Mastodon user data.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Thursday November 24, @05:00PM

    by Anonymous Coward on Thursday November 24, @05:00PM (#1281502)

    > usenet with extra steps.

    You're in good (err, fast) company, see: https://www.fastcompany.com/90807496/mastodon-servers [fastcompany.com] [warning, Privacy Badger reports 45 potential trackers blocked]

    I think that as Mastodon gets a more mainstream audience, we’ll see the process of spinning up a Mastodon server get easier. The third-party hosting service Masto.host was flooded with demand over the weekend, clearly showing that people want to take part. If it keeps up, general-interest cloud hosting companies like Vultr and DigitalOcean will probably start promoting one-click Mastodon installs, for example, as they do for Ghost, Minecraft, and WordPress.

    But for folks who find this state of affairs confusing, yes, it is. But historically, social communities have looked much more like Mastodon than they have Twitter. Usenet was built in exactly the same way. So was Yahoo! Chat, ICQ, and IRC. Twitter’s main innovation, in many ways, is that it combines all of these people into one giant public feed and lets users find their people, building interesting conversations from the collisions that this unusual state of affairs created. Eventually algorithms helped with this, but they also made people more comfortable with those contours, and Twitter was only taking steps to resolve this with groups.

    Starting Score:    0  points
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2