Mastodon account hijacking possible with critical bug

Accounts in the decentralized social networking platform Mastodon could be remotely impersonated and taken over through the exploitation of a new critical origin validation error vulnerability, tracked as CVE-2024-23832, The Hacker News reports. Mastodon has called on users of versions before 3.5.17, 4.0.13, 4.1.13, and 4.2.5 to immediately apply updates to prevent any potential compromise. However, further information regarding the security issue will only be provided by Feb. 15. "Any amount of detail would make it very easy to come up with an exploit," said Mastodon, which operates on separate instances with varying privacy policies, codes of conduct, and content moderation terms, and rely on their respective administrators' timely remediation of vulnerabilities. Such a flaw comes months after patches have been issued by Mastodon to address critical bugs, tracked as CVE-2023-36459 and CVE-2023-36460. Attackers could have utilized the vulnerabilities to facilitate remote code execution and denial-of-service attacks.