Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

February 4, 2024 at 12:19PM

Mastodon, a decentralized social network, has revealed a significant security flaw, CVE-2024-23832, with a severity rating of 9.4. Vulnerable versions include those before 3.5.17 and specific 4.0.x, 4.1.x, and 4.2.x versions. Mastodon plans to disclose technical details on February 15, 2024, urging administrators to update server instances promptly to prevent exploitation. This follows previous critical flaw disclosures.

The meeting notes from February 3, 2024, highlight a critical security vulnerability in the decentralized social network Mastodon. The vulnerability, tracked as CVE-2024-23832, allows attackers to impersonate and take over remote accounts due to insufficient origin validation. It has a severity rating of 9.4 out of 10 and affects Mastodon versions prior to 3.5.17 and various 4.0.x, 4.1.x, and 4.2.x versions.

Mastodon has delayed revealing technical specifics about the flaw until February 15, 2024, to give admins time to update server instances and prevent exploitation. The federated nature of the platform, with independently hosted and operated servers, adds complexity to the timely application of security updates.

This disclosure follows the addressing of two other critical flaws in the platform seven months prior. The previous flaws (CVE-2023-36460 and 2023-36459) could have led to denial-of-service or remote code execution.

This information is relevant for further analysis and awareness of the ongoing security challenges posed by the Mastodon platform.

Full Article