The decentralized social network Mastodon has disclosed a critical security flaw, identified as CVE-2024-23832, that exposes users to the risk of malicious actors impersonating and taking over any account. The severity of the vulnerability is rated at 9.4 out of 10. The flaw, described as an “origin validation error” (CWE-346), could enable attackers to access functionality inadvertently accessible to the source. Notably, all Mastodon versions before 3.5.17, as well as specific versions of 4.0.x, 4.1.x, and 4.2.x, are vulnerable to this exploit.
Mastodon’s maintainers issued a terse advisory, revealing that the security flaw allows attackers to impersonate and take control of any remote account due to insufficient origin validation. Security researcher Arcanicanis is credited with discovering and reporting the vulnerability. Mastodon has chosen to withhold additional technical details about the flaw until February 15, 2024, providing administrators with a window to update server instances and mitigate the risk of exploitation. The federated nature of Mastodon’s platform, running on separate servers or instances, emphasizes the need for administrators to independently enforce security measures.
The disclosure of this critical security flaw follows Mastodon’s proactive response to two other vulnerabilities seven months earlier (CVE-2023-36460 and 2023-36459), addressing potential risks of denial-of-service (DoS) attacks and remote code execution. The federated structure of Mastodon, with each instance independently operated, requires administrators to adhere to unique rules and regulations, including timely application of security updates. Mastodon’s decision to delay specific technical information aims to minimize the risk of exploitation while underscoring the importance of prompt server instance updates in the face of evolving cybersecurity threats.
