A new social media network named Mastodon popped up a few months ago and is designed to deliver a decentralised, open-source experience, but its this unique structure that may make its members vulnerable to cyber-attacks.
Malwarebyte's researcher Zammis Clark blogged that the decentralised nature of the site's construction, which he said helps eliminate ads, a primary selling point for users, also leaves the social network open to hackers. The site is very different from Facebook, Twitter and other networks.
Instead of being hosted by a corporate entity on its server system Mastodon members can set up their own server if they wish, called in “instance” by the Mastodon community, and then have people join Mastodon through that server. But here is where the problem arises.
Each person's “instance” receives a special domain name, for example mastodon.instance1, and anyone registering on that instance would receive a username like johnsmith.mastodon.instance1.
Where things go awry, Clark said, is the usernames can be replicated across all the "instances", so on mastodon.instance2 there could be a johnsmith.mastodon.instance2. This creates a situation where there are no verified accounts.
“As phishing exists via email, similar attacks could occur on Mastodon, with a malicious user registering on a Mastodon instance with the username of someone on another instance, cloning their profile, and trying to social engineer their followers, for example. Those on another instance will see the full Mastodon username with the instance name, but this can be cut off with usernames that are long enough, on some clients,” Clark wrote.
There is not much online about Mastodon. An about “instance” exists https://mastodon.social/about, but it contains little information other than a brief description and a note that due to high registration levels it is temporarily shut down. Another page listing several dozen “instances” is also online.
The lack of verification can possibly become a true problem with corporate accounts. Clark said there is no way to tell if the account is actually held by that company, although the network is so new he did not know if this situation has yet arisen.
Malwarebytes pointed out several other potential risks inherent with the use of “instances”. First, the “instance” admin can see all the posts made by its members and accounts cannot be deleted without the admin's permission.
“It's still in development, so there's some missing functionality that can lead to additional risk (and some of that functionality does not make sense to this style of social network, anyway). You will want to be more careful on Mastodon; making a mistake could be more costly there,” he concluded.