Mastodon hit by security flaw — top Twitter alternative acts fast to patch critical security issue that could have let hackers hijack user accounts

Mastodon is giving users until February 15 to patch

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Top Twitter alternative Mastodon was found to be carrying a high-severity vulnerability which could have been used by hackers toimpersonatepeople and take over their accounts.

The flaw is tracked as CVE-2024-23832, and has a severity rating of 9.4. It affects all Mastodon versions before 3.5.17, 4.0.13, and 4.2.5.

The vulnerability has now been patched, with administrators advised to apply it without delay. Specific details on the flaw are currently being withheld, as Mastodon wants to give admins enough time to patch. The project promised to share more information on February 15,BleepingComputerreports.

Decentralization and patching

For those who don’t know, Mastodon is an open source, decentralized social networking platform, which rose to (relative) prominence after Elon Musk bought Twitter.

In “fear” of radical changes to Twitter, many people flocked to Mastodon, which now allegedly houses 12 million users.

Mastodon works on the basis of instances - communities with unique guidelines and policies, governed by their administrators. The instances are then interconnected in a system Mastodon refers to as “federation”.

Being decentralized also makes it somewhat more difficult to patch. Every admin needs to patch their own instance, and Mastodon has placed a big banner on each server to alert the administrators. They have until mid-February to protect their users, after which their accounts will be vulnerable to the hijacking flaw.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Mastodon may not be the powerhouse Twitter is, but its user base is hardly negligible. As such, threat actors are also hunting for potential vulnerabilities on the platform. Last summer, the project fixed a critical vulnerability tracked as CVE-2023-36460, called “TootRoot”. This flaw allowed threat actors to send “toots” (posts) that could create web shells on target instances. The flaw granted the attackers full control over the vulnerable server, including access to sensitive user information.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time