Subj : Mastodon hit by security flaw  top Twitter alternative acts fast
To   : All
From : TechnologyDaily
Date : Mon Feb 05 2024 14:15:04

Mastodon hit by security flaw  top Twitter alternative acts fast to patch 
critical security issue that could have let hackers hijack user accounts

Date:
Mon, 05 Feb 2024 14:08:57 +0000

Description:
Mastodon is giving users until February 15 to patch, after which it will 
release more details about the flaw.

FULL STORY
======================================================================

Top Twitter alternative Mastodon was found to be carrying a high-severity 
vulnerability which could have been used by hackers to impersonate people and 
take over their accounts. 

The flaw is tracked as CVE-2024-23832, and has a severity rating of 9.4. It 
affects all Mastodon versions before 3.5.17, 4.0.13, and 4.2.5. 

The vulnerability has now been patched, with administrators advised to apply 
it without delay. Specific details on the flaw are currently being withheld, 
as Mastodon wants to give admins enough time to patch. The project promised 
to share more information on February 15, BleepingComputer reports. 
Decentralization and patching 

For those who dont know, Mastodon is an open source, decentralized social 
networking platform, which rose to (relative) prominence after Elon Musk 
bought Twitter. 

In fear of radical changes to Twitter, many people flocked to Mastodon, which 
now allegedly houses 12 million users. 

Mastodon works on the basis of instances - communities with unique guidelines 
and policies, governed by their administrators. The instances are then 
interconnected in a system Mastodon refers to as federation. 

Being decentralized also makes it somewhat more difficult to patch. Every 
admin needs to patch their own instance, and Mastodon has placed a big banner 
on each server to alert the administrators. They have until mid-February to 
protect their users, after which their accounts will be vulnerable to the 
hijacking flaw. 

Mastodon may not be the powerhouse Twitter is, but its user base is hardly 
negligible. As such, threat actors are also hunting for potential 
vulnerabilities on the platform. Last summer, the project fixed a critical 
vulnerability tracked as CVE-2023-36460, called TootRoot. This flaw allowed 
threat actors to send toots (posts) that could create web shells on target 
instances. The flaw granted the attackers full control over the vulnerable 
server, including access to sensitive user information. More from TechRadar 
Pro Mastodon fixes major security flaw that could have allowed system 
hijacking Here's a list of the best firewalls around today These are the best 
endpoint security tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/mastodon-had-to-act-fast-to-patch-a-cri
tical-security-flaw-that-could-have-let-hackers-hijack-user-accounts


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.