News, news analysis, and commentary on the latest trends in cybersecurity technology.

Cybersecurity Pros Put Mastodon Flaws Under the Microscope

As the open source social media network grabs the spotlight as a Twitter replacement, researchers caution about vulnerabilities.

2 Min Read
Hand-colored woodcut of prehistoric wooly mammoth hunters using bows and arrows. So it's not a mastodon. Close enough.
Source: North Wind Picture Archives via Alamy Stock Photo

From an anonymous server collecting user information to configuration errors that create vulnerabilities, infosec experts are pointing out security holes in Mastodon, which, seen as a replacement for Twitter, is experiencing massive user growth — and an increased scrutiny of its flaws.

Unlike other social media apps, which have a central authority, Mastodon is a federation of servers that can communicate with each other but which are maintained and run separately by independent admins. That means different rules, different configurations, and sometimes different software versions could apply to different users and postings.

One of the most popular "instances" — the Mastodon term for individual servers/communities — for the cybersecurity community is, and its members certainly scrutinize its configuration. Gareth Heyes (@gaz on, a researcher at PortSwigger, uncovered an HTML injection vulnerability stemming from attributes of the specific software fork used.

In another example from a recent Security Week article, Lenin Alevski (@alevsk on, a security software engineer at MinIO, pointed out a system misconfiguration that would allow him to download, modify, or delete everything in the instance's S3 cloud storage bucket.

Finally, researcher Anurag Sen (@hak1mlukha on discovered an anonymous server that was scraping Mastodon user data.

Twitter Users Flock to Mastodon

Until recently, Mastodon was considered part of the social-media underground, an alternative to Twitter created in 2016 as an escape hatch in the face of buyout rumors. When Elon Musk first agreed to buy the microblogging behemoth back in April, Mastodon gained 30,000 new users in a day, compared with a more typical growth of below 2,000 a day. But that's a drop in the bucket compared with the 135,000 new users who joined on Nov. 7.

"Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop. In short, don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway," said Melissa Bischoping, director and endpoint security research specialist at Tanium, via email.

"Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model," added David Maynor, senior director of threat intelligence at Cybrary. "My moving advice is firmly 'buyer beware.'"

Of course, Twitter is no stranger to security issues, so caveat emptor is timeless and universal.

About the Author(s)

Karen Spiegelman, Features Editor

Karen joined Dark Reading in January 2022 as features editor. She's been in tech editing since before the img tag was introduced, working for outlets such as the IEEE Computer Society, CNET, and TechTV. She lives in Los Angeles with her husband, son, and two cats. Find her on Mastodon.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights