Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account.

“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” the maintainers said in a terse advisory.

The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of a maximum of 10. Security researcher arcanicanis has been credited with discovering and reporting it.

It has been described as an “origin validation error” (CWE-346), which can typically allow an attacker to “access any functionality that is inadvertently accessible to the source.”

Every Mastodon version prior to 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5.

Mastodon said it’s withholding additional technical specifics about the flaw until February 15, 2024, to give admins ample time to update the server instances and prevent the likelihood of exploitation.

“Any amount of detail would make it very easy to come up with an exploit,” it said.

The federated nature of the platform means that it runs on separate servers (aka instances), independently hosted and operated by respective administrators who create their own rules and regulations that are enforced locally.

This also means that not only each instance has a unique code of conduct, terms of service, privacy policy, and content moderation guidelines, but it also requires each administrator to apply security updates in a timely fashion to secure the instances against potential risks.

The disclosure arrives nearly seven months after Mastodon addressed two other critical flaws (CVE-2023-36460 and 2023-36459) that could have been weaponized by adversaries to cause denial-of-service (DoS) or achieve remote code execution.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.