How secure a Twitter replacement is Mastodon? Let us count the ways

As Elon Musk critics flee from Twitter, Mastodon seems to be the most common replacement. In the last month, the number of monthly active users on Mastodon has rocketed more than threefold, from about 1 million to 3.5 million, while the total number of users jumped from about 6.5 million to 8.7 million.

This substantial increase raises important questions about the security of this new platform, and for good reason. Unlike the centralized model of Twitter and virtually every other social media platform, Mastodon is built on a federated model of independent servers, known as instances. In this respect, it’s more akin to email or Internet Relay Chat (IRC), where security depends on the ability and attention of the admin who configured it and maintains each individual server.

The past month has seen the number of instances mushroom from about 11,000 to more than 17,000. The people running these instances are volunteers who may or may not be versed in the nuances of security. The difficulty of configuring and maintaining instances leaves plenty of room for mistakes that can put user passwords, email addresses, and IP addresses at risk of being revealed (more about that later). Twitter security left much to be desired, but at least it had a dedicated staff with a deep background in security.

Security cons

“I honestly think that's the biggest concern facing security in space,” Mike Lendvay, a certified information security professional and certified cloud security professional who also runs the Mastodon instance friendsofdesoto.social. “Especially with the Twitter diaspora, you've had a lot of servers go up very quickly, and there's going to be a very uneven amount of skill level in the people administering them.”

Another concern is the software powering the Mastodon platform. It has never undergone a formal security audit, although the European Commission sponsored a bug bounty program that resulted in patches for 35 valid bug submissions. Earlier this month, a researcher discovered a misconfiguration in multiple instances that allowed for the downloading and deleting of all files stored on the server and replacing every user’s profile picture.

The lack of an audit and years of robust security testing by outsiders means that serious security weaknesses are almost surely present.

To that point, a separate researcher this month discovered a server that had somehow managed to scrape the data of more than 150,000 users from a misconfigured server. Fortunately, the data was limited to account names, display names, profile pictures, following count, follower count, and last status update. A third vulnerability discovered this month on one instance made it possible to steal users' plaintext passwords by injecting specially crafted HTML into the site.

Of course, all platforms have these sorts of vulnerabilities, and Mastodon developers and instance admins have been quick to patch them once reported. But other platforms have teams of security engineers, researchers, and compliance specialists who pore over recently patched vulnerabilities to ensure their platform runs up-to-date components. Mastodon’s federated structure can’t replicate this. Expecting volunteers to perform at the same scale as a centralized platform is unrealistic, to say the least.

The lack of dedicated security teams might be a problem, particularly in the event of a high-security vulnerability in the software ecosystem Mastodon relies on. The platform is built on Ruby on Rails, Postgres, and Redis. On the one hand, the combination of these three open source apps is tried and true, with use by notable platforms including GitHub, GitLab, Shopify, and Discourse.

But things could go badly if one of those apps is hit by something severe like HeartBleed, the 2014 bug in the open source OpenSSL app that caused the disclosure of all kinds of sensitive data from banking websites and other high-value targets.

What’s more, Mastodon software has no auto-update or even update-availability feature.

“You have to check the GitHub releases, personally,” Lendvay said. “I try to do that weekly. But for many, I would imagine they would hear through the grapevine. I've seen disparate versions running, so who knows what the consistency will be.”

Mastodon—or at least instances hosting widely known or influential users—is also likely to be much more susceptible to distributed denial-of-service attacks (DDos), which knock sites offline by bombing servers with more traffic or commands than they can handle. Centralized platforms with deep pockets consider DDoS mitigation servers a basic cost. Volunteer-run instances aren’t likely to have the same resources. If Mastodon’s user base continues its current growth spurt, this susceptibility will likely be used to silence critics of all stripes.

Besides stealing data, hackers might also be tempted to hack the accounts of influential people or take control of administrative functions. In either case, the hacker could go on to impersonate influential users.

“I would bet money there are vulns in the ActivityPub protocol that will allow someone to broadcast a false toot attributable to a famous handle," one user said. “Or there will be some other protocol issue found.”

Lastly, Mastodon is likely more susceptible to harassment and misinformation campaigns, assuming they run at scale.

“On personal security, there aren't a lot of protections against harassment,” said Jon Pincus of the Nexus of Privacy. “Many instances aren't well-moderated (including mastodon.social, which [Mastodon creator] Eugen [Rochko] runs). Even well-moderated instances can be overwhelmed by determined attacks.”

The pros

Nothing above should be construed as meaning Mastodon isn’t safe to use. While its decentralized structure poses security challenges, the risks facing its users are the same facing people using Twitter or any other social media site or even most open source software.

“If you compare Mastodon to other software products (which Mastodon is), such as WordPress, Discourse, Nginx, etc, there is no difference,” Rochko, the creator of Mastodon and CEO of Mastodon gGmbH, wrote in an email. “We accept responsibly disclosed bugs, keep them secret until a fix is ready to avoid exploitation in the wild, announce a security release, and then reveal what the bug was when the fix is available to install. Operators who take Mastodon seriously have been consistently observed to upgrade swiftly; operators who do not, typically are only responsible for themselves and their friends/family.”

What’s more, Mastodon has some advantages over many of its peers. For one thing, the site collects considerably less personal data. Most notably, it doesn't store phone numbers and has no algorithm keeping track of users’ interests. This excellent write-up shows the personal data various instances will have. The instance a person uses has the most, but even then, it's limited to that person's public and private messages, email address, and cryptographically hashed password.

Storing less personal information makes Mastodon a lower-value target and means that even if an instance gets hacked, there’s less data for a hacker to take. Another thing to potentially make Mastodon a less likely target is its decentralization. A site like Twitter or Facebook gives hackers the opportunity to steal data for hundreds of millions of people with a single hack. Mastodon's instances have orders of magnitude fewer users.

Mastodon also offers robust two-factor authentication right out of the box. That means that users who authenticate using physical security keys are immune to credential phishing attacks.

So what is a person migrating to Mastodon to do?

“My take is the same as Twitter,” said Kevin Beaumont, a security professional and admin for the cyberplace.social instance. “Don’t write anything on social media you wouldn’t write in public. Much like Twitter handles direct messages without encryption, Mastodon messages aren’t encrypted either.”

That means that just like Twitter, admins or people who successfully hack the platform can read direct messages.

What to do?

Here are some basic guidelines

• Protect your account with a long, unique, randomly generated password and turn on 2FA, preferably using a security key instead of an authentication app.
• Consider using an email privacy protection service such as those from DuckDuckGo or Apple and using that when registering an account.
• Don’t put anything confidential in your account. This includes direct messages.
• When deciding which instance to join, make sure it’s running the most recent version of the Mastodon software. Instances running out-of-date versions indicate the admin doesn’t have good security hygiene. The version number appears at the bottom left of a server page, and the most recent version available can be found here. If possible, also find out if the admin regularly backs up data. Consider, too, the experience of the person administering. Seasoned security professionals are likely more careful than hobbyists with little training.

• 

  The green box in this profile verifies that a user is associated with a given site.

  Verify your account using Mastodon’s link verification feature. This will make it harder for someone to impersonate you. Remember, the blue check mark in someone’s profile means nothing. Verified Mastodon accounts are indicated by a green box with a check mark.
• While avoiding direct messages is a good policy, be aware that if your DM to Person A includes the Mastodon handle of Person B, Person B will automatically get pulled into the conversation. This could make things awkward if you didn’t intend for Person B to read your message.
• Read the privacy policy of the instance you're considering to ensure your data doesn't get passed on to third parties. It's likely to differ from one to the other.