As Elon Musk critics flee Twitter, Mastodon seems to be the most common replacement. In the past month, the number of monthly active users on Mastodon has more than tripled, from about 1 million to 3.5 million, while the total number of users jumped from about 6.5 million to 8.7 million.
This significant increase raises important questions about the security of this new platform, and for good reason. Unlike the centralized model of Twitter and virtually every other social media platform, Mastodon is built on a federated model of independent servers, known as instances. In this regard, it is more akin to e-mail or Internet Relay Chat (IRC), where security depends on the skill and attention of the administrator who set it up and maintains each individual server.
In the last month, the number of occurrences of fungi has increased from approx. 11,000 to more than 17,000. The people who run these agencies are volunteers who may or may not be familiar with the nuances of security. The difficulty of setting up and maintaining instances leaves plenty of room for error that could put user passwords, email addresses, and IP addresses at risk of being exposed (more on that later). Twitter security left a lot to be desired, but at least it had a dedicated staff with a deep background in security.
“I honestly think it’s the biggest security concern in the space,” Mike Lendvay, a Certified Information Security Professional and Certified Cloud Security Professional who also runs the Mastodon site friendsofdesoto.social. “Especially with the Twitter diaspora, you’ve got a lot of servers going up very quickly, and there’s going to be a very uneven level of skill level in the people managing them.”
Another concern is the software that powers the Mastodon platform. It has never undergone a formal security audit, although the European Commission sponsored a bug bounty program that resulted in patches for 35 valid bug submissions. Earlier this month, a researcher discovered a misconfiguration in several cases that allowed the download and deletion of all files stored on the server and replaced each user’s profile picture.
The lack of an audit and years of robust security testing by outsiders means that serious security vulnerabilities are almost certainly present.
To that point, a separate researcher this month discovered a server that had somehow managed to do so scraping the data of more than 150,000 users from a misconfigured server. Fortunately, the data was limited to account name, display name, profile pictures, number of followers, number of followers and last status update. A third vulnerability discovered this month on an instance made it possible to steal users’ clear-text passwords by injecting specially crafted HTML into the site.
Of course, all platforms have these types of vulnerabilities, and Mastodon developers and instance administrators have been quick to patch them when they were first reported. But other platforms have teams of security engineers, researchers and compliance specialists who look at newly patched vulnerabilities to ensure their platform is running up-to-date components. Mastodon’s federated structure cannot replicate this. Expecting volunteers to perform at the same scale as a centralized platform is unrealistic, to say the least.
The lack of dedicated security teams can be a problem, especially in the event of a high-security vulnerability in the software ecosystem Mastodon relies on. The platform is built on Ruby on Rails, Postgres and Redis. On the one hand, the combination of these three open source apps is tried and true, using notable platforms including GitHub, GitLab, Shopify, and Discourse.
But things could go bad if one of those apps gets hit with something of the severity of something like HeartBleed, the 2014 flaw in the open-source OpenSSL app that caused the exposure of all sorts of sensitive data from banking websites and other high-value targets.
Also, the Mastodon software has no automatic update feature or even update availability.
“You have to check the GitHub releases in person,” Lendvay said. “I try to do it weekly. But for many, I would think they would hear through the grapevine. I’ve seen different versions run, so who knows what the consistency will be.”
Mastodon – or at least instances that host famous or influential users – are also likely to be much more vulnerable to distributed denial-of-service (DDos) attacks, which knock websites offline by bombarding servers with more traffic or commands than they can handle. Centralized platforms with deep pockets consider DDoS mitigation servers a basic cost. Volunteer-run instances probably don’t have the same resources. If Mastodon’s user base continues its current growth spurt, this sensitivity will likely be used to silence critics of all stripes.
In addition to stealing data, hackers may also be tempted to hack the accounts of influential people or take control of administrative functions. In either case, the hacker can continue to impersonate influential users.
“I’d bet there’s a vulnerability in the ActivityPub protocol that would allow someone to broadcast a fake tone that can be attributed to a known handle,” said one user. “Or another protocol problem will be found.”
Finally, Mastodon is likely more susceptible to harassment and misinformation campaigns, assuming they run at scale.
“When it comes to personal security, there’s not a lot of protection against harassment,” said Jon Pincus of Nexus of Privacy. “Many instances are not well moderated (including mastodon.social, which [Mastodon creator] Eugene [Rochko] runs). Even well-moderated cases can be overwhelmed by targeted attacks.”