The whole toot
Multiple instances of social media platform Mastodon are vulnerable to system configuration issues, security researcher Lenin Alevski warns.
The exodus of former Twitter users in response to the upheavals that have accompanied Elon Musk’s takeover of Twitter have shone the spotlight on Mastodon.
It has become the go-to hangout for many of infosec’s community who have swapped tweeting for ‘tooting’ on the platform.
Security researchers such as Alevski, and PortSwigger’s Gareth Heyes before him, however have found the security maturity of Mastodon wanting.
More specifically, Alevski recently found that the infosec.exchange instance of Mastodon was uploaded to storage buckets that failed to apply access controls.
This shortcoming, explained in a technical blog post, made it possible for an attacker to access a user’s profile picture or any other uploaded data and replace it with arbitrary content.
The vulnerability also meant it was possible to download files from the server – including those shared by direct message (DMs on Mastodon, unlike Twitter, omit encryption). Destructive attacks, including the deletion of files on the server, were also possible.
The security shortcoming – which opened the door to all manner of mischief making and trolling – was quickly addressed after Alevski reported the issue to Jerry Bell, the sys admin who administers the infosec.exchange instance of Mastodon.
Bell told The Daily Swig: “It was a misconfigured access policy on the bucket. I hadn’t removed write access from the default access path.”
In a blog post published after the issue was resolved, Alevski added that “system misconfiguration at the object storage level defeats whatever security mechanism Mastodon has on top”.
Alevski concluded by warning that infosec.exchange is far from an isolated case of system configuration problems in the Mastodon ecosystem. The security researcher has gone on to discover misconfigurations on other Mastodon instances.
“I found similar problems with a couple of them [other instances] and I [have] already reported the vulnerabilities,” according to Alevski.