Mastodon Security

GNU License Graphical reconstruction of Mammut americanum based on bony structure and paleontological texts

Some Twitter users have been considering moving to other, similar, platforms.  Twitter has a massively larger subscriber base than any of the alternative services. Mastodon is one of the bigger competitors but even so the number of public Tweets is far greater than Mastodon Toots. As a very rough comparison; Kindus is based in Hebden Bridge. At the time of writing there were 4 public Tweets on Hebden Bridge in the last hour compared to the most recent Mastodon public Toot tagged #HebdenBridge being 5 days ago. Users will sign up to 1 or more Mastodon servers relating to their potential audience.  For a casual user the major player would be which also allows access to public posts from other Mastodon instances.

Most Mastodon servers are federated meaning that their public posts are visible to all of them.  Users can pick up public posts and follow users from across the Mastodon infrastructure residing on these federated servers.  Some servers deliberately act in isolation, others such as the right-wing network Gab have been blocked (de-federated) by the majority of other Mastodon servers.

Twitter is an integrated cloud server system, Mastodon is a collection of distinct installs. Mastodon is set up on a dedicated server although some hosting services provide the solution as a bundle. Security and moderation is not the remit of an overarching body but the responsibility of individual server operators.

A corporate body might consider having their own instance of Mastodon rather than joining an existing server. This will involve the use of their own domain name in the Mastodon url, introduce corporate branding and allow control of who can join or remain in the instance.

Running Mastodon might be compared to running a website for example within an engine such as WordPress.  There are a number of providers, you can join an existing site, set up on a dedicated hosting provider with varying degrees of support or run the whole caboodle on your own private server. Mastodon will be a more complex and possibly more risky procedure than WordPress as setting it up and keeping it updated requires access to the console on the server. This will generally be through remote ssh access and any such system changes will require the root or sudo account. Although it is unlikely that a hacker will gain these privileges the harm that can be done to the host system is considerably more than from access to the limited files and database records required to run a WordPress website.

The Mastodon code  is open source and although regularly updated it is the responsibility of the host to ensure that their code is up to date.  Hackers can study the code and if a vulnerability is found could exploit it on any Mastodon server connected to the Internet.

There is also a risk from access to any server where an install resides.  If a hacker has access to the files on the host server then they could destroy that instance.  The underlying database of Mastodon is PostgreSQL.  The Mstadon server code will need a dedicated system account for that database to interact with its data.  Access to that account will compromise all the Mastodon user data on the server.  With access to the PostgreSQL install’s root account the Mastodon database password can be changed and its data held hostage.  Mastodon direct messages are stored in clear text on the server.  While this is not an issue while that server is secure; unauthorised access would expose that data.  This together with the potential risk from a compromised database brings on risks of personal data exposure and GDPR breaches.

A casual user need not directly worry about server security and GDPR although as with Twitter they should take care with what they post on-line as they might be exposing personal data. For more serious use the server instance should be considered. The instance name will be included in the user’s Mastodon address, possibly revealing too much about their personal tastes. More worryingly any breach of that server’s security will be a breach of each user’s account on that instance. Except when wishing to support a particular cause it would be best to stick to the generic and use additional accounts for more specific Mastodon instances.

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus