Is Mastodon, the Twitter 'Replacement' For Many, Secure?

Mastodon, an open-source social media platform, has become the de facto Twitter 'replacement' for many individuals looking to move away from the platform since Elon Musk took over as CEO and removed restrictions on content moderation and unbanned controversial users. Experts from Tanium and Cybrary weighed in on the security structure of Mastodon and what users need to be mindful of as they join the platform.

Melissa Bischoping, Director, Endpoint Security Research Specialist, Tanium:

"Mastodon has quickly emerged as the destination of choice for many who've opted to leave Twitter in recent weeks. This open-source, decentralized platform has many advantages and the growth in popularity will hopefully lead to additional features and functionality as the open-source platform continues to mature. That said, those joining Mastodon should not consider it a like-for-like Twitter replacement, and should be aware of the unique features of the Fediverse.

Each instance is managed by an administrator, who has control over the infrastructure and the software running on the servers. This means that you are placing trust in the administrators to secure and maintain their instance, and trusting they will protect your account. Because many of these are small teams or individual operators without large budgets or security teams, you should not assume that any instance is secure or private. This doesn't mean you shouldn't use it, but it does mean you should not assume any data shared there is encrypted or protected from theft or seizure by law enforcement.

Treat the Fediverse and any Mastodon instance as a place to share information, connect, and collaborate in the same way you'd do those things in person in a town square or public coffee shop. In short, don't use Mastodon to send sensitive, personal, or private information you wouldn't be comfortable posting publicly anyway.

Additionally, given the potential for vulnerabilities and exploitation, follow the best practices for account management - unique passwords and multi-factor authentication. Lastly, many instances have been set up specifically for the purpose of testing security and reporting bugs and vulnerabilities, so the ethical hacking and bug hunting community can continue to contribute and improve security of the platform as its popularity grows." David Maynor, Senior Director of Threat Intelligence, Cybrary

“Mastodon isn’t the panacea many people fleeing Twitter May think it is. While it’s been an open-source project for years, it never came close to the server load and scrutiny it has recently. Proofs-of-Concept are floating around for many critical bugs easily discovered with vulnerability scanners. Aside from the code, the way Mastodon is segmented means one or two people who administer a particular instance are the weak link in the security model. My moving advice is firmly “buyer beware.” ###