"Mastodon Vulnerability Allows Attackers to Take Over Accounts"

Mastodon, the free and open-source decentralized social networking platform, has recently fixed a critical vulnerability that allows attackers to impersonate and take over any remote account.  The platform became popular after Elon Musk acquired Twitter and now boasts nearly 12 million users spread across 11,000 servers.  Servers on Mastodon are autonomous but interconnected (through a system known as "federation") communities that have their own guidelines and policies, controlled by owners who provide the infrastructure and act as administrators of their servers.  According to the company, the newly fixed flaw is tracked as CVE-2024-23832 and stems from insufficient origin validation in Mastodon, allowing attackers to impersonate users and take over their accounts.  The vulnerability is rated 9.4 in CVSS v3.1 and impacts all Mastodon versions before 3.5.17, 4.0.13, 4.1.13, and 4.2.5.  The flaw was fixed as of 4.2.5, and all Mastodon server administrators are advised to upgrade to the latest version as soon as possible to protect users of their servers.  Mastodon has withheld technical details for the time being to prevent active exploitation of the vulnerability. 

BleepingComputer reports: "Mastodon Vulnerability Allows Attackers to Take Over Accounts"