Top Twitter alternative Mastodon was found to be carrying a highseverity vulnerability which could have been used by hackers to impersonate people and take over their accounts.
The flaw is tracked as CVE202423832, and has a severity rating of 9.4. It affects all Mastodon versions before 3.5.17, 4.0.13, and 4.2.5.
The vulnerability has now been patched, with administrators advised to apply it without delay. Specific details on the flaw are currently being withheld, as Mastodon wants to give admins enough time to patch. The project promised to share more information on February 15, BleepingComputer reports.
Decentralization and patching
For those who don’t know, Mastodon is an open source, decentralized social networking platform, which rose to (relative) prominence after Elon Musk bought Twitter.
In “fear” of radical changes to Twitter, many people flocked to Mastodon, which now allegedly houses 12 million users.
Mastodon works on the basis of instances communities with unique guidelines and policies, governed by their administrators. The instances are then interconnected in a system Mastodon refers to as “federation”.
Being decentralized also makes it somewhat more difficult to patch. Every admin needs to patch their own instance, and Mastodon has placed a big banner on each server to alert the administrators. They have until midFebruary to protect their users, after which their accounts will be vulnerable to the hijacking flaw.