back to article Critical vulnerability in Mastodon is pounced upon by fast-acting admins

Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers. With a 9.4 severity score, exploiting CVE-2024-23832 potentially allows attackers to take over Mastodon accounts remotely.  While very little has been …

  1. Anonymous Coward
    Anonymous Coward

    Troth Central?

    doesn't that run on an old version of mastodon? It would be a real shame (sic) if it was taken down and everything wiped. Nothing of value to humanity would be lost.

    1. Anonymous Coward
      Anonymous Coward

      Re: Troth Central?

      Truth Social and Gab are both running Mastodon technology (though in walled garden fashion so they can't be reached from the general Mastodon network) but I don't know how close they stay to the reference implementation. My guess is that they are pretty understaffed and will probably be following quite close. In that case they could likely pretty easily port this fix over too.

      I can't be arsed myself but it shouldn't too hard for someone to inspect the web interface and API of Truth Social or Gab to see how it identifies itself. With a random Mastodon server you can see in the bottom left corner of the Explore page which version it runs, such as here on Mastodonapp.uk.

    2. ldo Silver badge

      Re: Troth Central?

      Oh Donald, Donald, wherefore art thou Donald ...

  2. biddibiddibiddibiddi Bronze badge

    And this is why I won't trust Mastodon, running on any number of servers run by who knows what kind of monkeys (with no accountability) who may or may not fix problems like this and introduce vulnerabilities that could affect me even if I'm not on their server. (There are other reasons I have no interest in it, though.)

    1. Mr. Flibble

      what? you mean like all software since the dawn of programming?

    2. ldo Silver badge

      Re: trust Mastodon

      This is great. When they send you a security update, you know it’s a security update, not some hidden (mis)feature for their own benefit that they are trying to foist on you.

    3. Naich

      "There are other reasons I have no interest in it, though"

      Is that you, Elon?

    4. Dan 55 Silver badge

      You'd better give up sending e-mail too while you're at it.

    5. Flocke Kroes Silver badge

      Re: Trust Mastodon

      You get to choose which server hosts your account.

      Your choice can be influenced by how the monkeys describe themselves.

      If the description proves inaccurate or you prefer different monkeys you can switch you account to a different server.

      There is accountability: poor hosts can be de-federated.

      If poor maintenance of one server could have negative consequences for accounts held on others then the same effect could be achieved by malice. The fact that this has not happened shows that such an attack requires more effort that bad actors have so far been willing to apply.

      The fact that you have other (probably good) reasons not to take an interest in Mastodon explains your ignorance. I had enough interest to do some research and try Mastodon last year. What you get out of Mastodon depends on how much effort you put in and how many people you find with similar interests who make some effort. Last year I was not getting enough from Mastodon to make it worth the effort I was putting in. Other people have different interests and priorities so will have a different experience. I am sure I will try again some time.

      1. Anonymous Coward
        Anonymous Coward

        Re: Trust Mastodon

        But the Masto-don (what an appropriate name for a Twitter rip-off) devs can (and do) decide they don't like your server and block it anyway. Until that's fixed it's as wanky as it's name.

        1. doublelayer Silver badge

          Re: Trust Mastodon

          You have it wrong. Other server admins can block you, not the devs*. That causes a problem, but it's not what you're implying. Since I don't use the system, I don't know how frequent that is, but at least describe it accurately.

          * Technically, the devs could write the code to exclude you, but that's not what has happened.

    6. desht

      And this is why I won't trust Xitter, running on any number of servers run by who knows what kind of monkeys (with no accountability) who may or may not fix problems like this and introduce vulnerabilities that could affect me even if I'm not on their server. (There are other reasons I have no interest in it, though.)

    7. Champ

      >...why I won't trust Mastodon, running on any number of servers run by who knows what kind of monkeys

      What, like email, yeah?

  3. Omnipresent Silver badge

    I told you guys

    I said this was going to happen back when el reg announced it was going mastodon. It was written by a russian. It's the same as ex twit and truther anon. Russia is probably in control of, and monitoring all three.

    1. CowHorseFrog Silver badge

      Re: I told you guys

      Its good too see third reich maste race politics is finally acknowledged in the USA as being official policy. I remember the other day in a Boeing article here, someone said that B nealy killed some AMERICANS, which made them bad. Nobody down voted this, B has already killed humans with their green im refering ot the Ethipian Max accident etc, but obviously they dont count becaue they arent American.

    2. Dan 55 Silver badge

      Re: I told you guys

      I've just checked the original developer's biography - he moved to Germany when he was 11 and Mastodon is now a German non-profit. Your Red Scare dial needs adjustment.

      1. yetanotheraoc Silver badge

        Re: I told you guys

        "Your Red Scare dial needs adjustment."

        It's already at 11, the dial won't turn any further.

        1. Simian Surprise

          Re: I told you guys

          For $2000 I'll build you one that goes to 12.

    3. Omnipresent Silver badge

      Re: I told you guys

      Probably all housed on a server in ole "petersburg" it's self.

      1. Anonymous Coward
        Anonymous Coward

        Re: I told you guys

        What part of de-centralised is giving you issues? Break it down into small chunks, you can do it.

        Mastodon isn't a platform, it's a piece of interoperable software that can talk to other bits of software.

        Outside of your head, it's not quite clear what the Russians would have to gain by having a secret asset (that's what you're claiming Gargron is, right?) build a bit of software that can trivially be replaced with Akkoma and the like

        There isn't even an algorithm for them to quietly exploit - toots are time-ordered.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like