Mastodon, a Twitter-like social media platform, recently patched several critical bugs after researchers funded by the Mozilla Foundation discovered them. This situation highlights the trade-off of open-source software development: publicly available code can be reviewed and exploited by anyone. Mozilla had announced plans to use Mastodon for some corporate communications, so they paid German security firm Cure53 to pen-test the social network.
Mastodon has become a popular decentralized application, with 14.5 million users. It is a “federation” of several thousand separate “instances” that serve people content, and anyone can run their own or join another instance. Five bugs were patched, with one potential exploit, #TootRoot, giving hackers root access to Mastodon instances. This could have caused compromised accounts and other phishing schemes. Large servers were sent pre-announcements about the security holes in recent weeks, so they could quickly deploy a patch when it went live.
“As far as I can tell, none of Mastodon’s 14.5 million users were affected by the bad lines of code, which seem to have been unexploited,” said The Node newsletter. This raises the question of how long the critical issues would have sat dormant had Mozilla not been interested in paying to see if Mastodon was secure.
The security of shared networks is totally subject to market forces, and financial incentives cut both ways for hackers. This is especially true in the world of crypto, where applications can become “multi-million dollar bug bounties” or grab bags for hackers. Solutions like a “circuit breaker” that would pause protocols seeing abnormal withdrawals are admirable, but there are no easy fixes to crypto’s problems.