Mastodon hit by security flaw — top Twitter alternative acts fast to patch critical security issue that could have let hackers hijack user accounts

News
By published

Mastodon is giving users until February 15 to patch

Mastodon
(Image credit: Shutterstock)

Top Twitter alternative Mastodon was found to be carrying a high-severity vulnerability which could have been used by hackers to impersonate people and take over their accounts. 

The flaw is tracked as CVE-2024-23832, and has a severity rating of 9.4. It affects all Mastodon versions before 3.5.17, 4.0.13, and 4.2.5. 

The vulnerability has now been patched, with administrators advised to apply it without delay. Specific details on the flaw are currently being withheld, as Mastodon wants to give admins enough time to patch. The project promised to share more information on February 15, BleepingComputer reports.  

Decentralization and patching

For those who don’t know, Mastodon is an open source, decentralized social networking platform, which rose to (relative) prominence after Elon Musk bought Twitter. 

In “fear” of radical changes to Twitter, many people flocked to Mastodon, which now allegedly houses 12 million users. 

Mastodon works on the basis of instances - communities with unique guidelines and policies, governed by their administrators. The instances are then interconnected in a system Mastodon refers to as “federation”.

Being decentralized also makes it somewhat more difficult to patch. Every admin needs to patch their own instance, and Mastodon has placed a big banner on each server to alert the administrators. They have until mid-February to protect their users, after which their accounts will be vulnerable to the hijacking flaw.

Mastodon may not be the powerhouse Twitter is, but its user base is hardly negligible. As such, threat actors are also hunting for potential vulnerabilities on the platform. Last summer, the project fixed a critical vulnerability tracked as CVE-2023-36460, called “TootRoot”. This flaw allowed threat actors to send “toots” (posts) that could create web shells on target instances. The flaw granted the attackers full control over the vulnerable server, including access to sensitive user information.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
The best free firewall
Microsoft fixes Power Pages security flaw, tells users to be on their guard
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
Latest in Security
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Latest in News
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Google Pixel 9a being held, from the back
The Google Pixel 9a’s mysterious delay may have just been explained
More about security
Code Skull

Interpol operation arrests 300 suspects linked to African cybercrime rings
An abstract image of a lock against a digital background, denoting cybersecurity.

Critical security flaw in Next.js could spell big trouble for JavaScript users
Google Pixel 9a being held, from the back

The Google Pixel 9a’s mysterious delay may have just been explained
See more latest
Most Popular
Google Pixel 9a being held, from the back
The Google Pixel 9a’s mysterious delay may have just been explained
Nintendo Sound Clock: Alarmo
Nintendo Sound Clock: Alarmo gets new update with more customizable features ahead of the Switch 2 Direct
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
FiiO FX17 IEMs
Our favorite budget audiophile brand unveils wired earbuds with 26(!) drivers, electrostatic units, USB-C ultra-Hi-Res Audio, and a not-so-budget price
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
girl using laptop hoping for good luck with her fingers crossed
Windows 11 24H2 seems to be a massive fail – so Microsoft apparently working on 25H2 fills me with hope... and fear
ChatGPT Advanced Voice mode on a smartphone.
Talking to ChatGPT just got better, and you don’t need to pay to access the new functionality
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple H3C Magic routers hit by critical severity remote command injection, with no fix in sight
Teenager playing on a gaming PC with two monitors
Samsung's OLED monitors are about to get much cheaper - and it's about time
Apple Watch Ultra 2 timer
The Apple Watch is getting a sleep alarm upgrade it probably should have had 10 years ago