Mastadon vulnerability leads to account takeover
Mastodon, a free, open-source, and decentralized social networking service, has addressed a significant security issue that could let attackers impersonate users and seize control of any account on the platform.
This platform has gained popularity, especially following Elon Musk's acquisition of Twitter, and now has nearly 12 million users distributed over 11,000 instances.
Mastodon instances, which are independent servers, form interconnected communities through a system called "federation." Each instance has its unique rules and policies, managed by its owners who also provide the necessary infrastructure and oversee server administration.
The vulnerability, identified as CVE-2024-23832, was caused by inadequate origin validation within Mastodon's framework, which could enable attackers to masquerade as other users and hijack their accounts.
Rated 9.4 on the CVSS v3.1 scale, this flaw affected all Mastodon versions up to 3.5.17, 4.0.13, 4.1.13, and 4.2.4.
With the release of version 4.2.5, this issue has been resolved. Mastodon server administrators are strongly encouraged to update their systems to this latest version immediately, ensuring the security of their community members.