Several critical bugs on the Twitter-like social media platform Mastodon were patched last week, after researchers funded by the Mozilla Foundation tipped their hat to the vulnerabilities. The situation shows one of the fundamental tradeoffs in open-source software development: that publicly available code can be reviewed and exploited by anyone.
Sometimes that means bugs are found by so-called white hat hackers, and sometimes they’re left open to be exploited. In Mastodon’s case, Mozilla paid German security firm Cure53 to pen test the social network, after announcing plans it would be using Mastodon for some corporate communications.
Especially in the post-Elon-Musk-buyout Twitter era, Mastodon has become one of the most popular decentralized applications used by everyday folk. Mastodon calls itself a “federation” because it consists of several thousand separate "instances” that serve people content (unlike at companies like Twitter or Facebook, which maintain their own servers). Anyone can run their own or ask to join another instance, which can set their own moderation standards.
Not much has been revealed about the five bugs that were patched, though independent security researcher Kevin Beaumont, writing on Mastodon, said one potential exploit dubbed #TootRoot could have given hackers root access to Mastodon instances – which could have caused all types of issues including compromised accounts and other phishing schemes.
Mastodon gGmbH, the organization that maintains Mastodon’s open source software, rated one other bug as critical and the three others as high and medium in severity. Large servers were also sent pre-announcements about the security holes in recent weeks, so they could be ready to quickly deploy a patch when it went live, according to Ars Technica.
As far as I can tell, none of Mastodon’s 14.5 million users were affected by the bad lines of code, which seem to have been unexploited. But the situation does raise some uncomfortable concerns, including how long the critical issues would have sat dormant had Mozilla not been interested in paying to see if Mastodon was secure. And whether a bad actor could have gotten to it first.
These are live issues in the world of free and open source software, including (and perhaps especially) in crypto. Putting aside the challenges of making sure everyone downloads a patch or is running the latest software – (if you’re a Mastodon user, check that the instance you're using is on version 4.1.3 or later or hound the server to update) – the security of shared networks is totally subject to market forces.
Financial incentives cut both ways for hackers, who can sometimes receive a bug bounty for properly disclosing an issue or turn around and sell the malicious information on a darknet market. And there isn’t always a Mozilla out there willing to pay for in-depth audits to make sure these systems are secure.
The problem is only complicated by crypto, which turns applications into “multimillion dollar bug bounties” or grab bags for hackers looking to make a quick buck. Some $3.1 billion was stolen from decentralized finance (DeFi) protocols alone last year. And even when protocol foundations or users banded together pay for code reviews, it’s not always clear an auditor’s stamp of approval can be trusted (often due as much to incompetence as greed).
Diyahir Campos, a crypto user and developer who says he lost out after the multi-million dollar attack of Euler Finance, recently revealed a DeFi “circuit breaker” that would pause protocols seeing abnormal withdrawals. This would be an “opt-in thing,” which admittedly wouldn’t offer users complete security but could minimize the amount of money lost in hacks.
Solutions like this are admirable, even if there are no easy fixes to crypto’s problems (and definitely not a “one-size-fits-all” option). And, of course, there’s a baseline risk in using any computer program whether or not it’s open source. Lest we forget even the most competent seeming institutions like the U.S. Department of Defense or Microsoft are not immune to catastrophic bugs.
The FOSS community fosters a real culture of solidarity and shared responsibility, where the respect garnered from finding and disclosing issues is often worth more than the money they could have earned. Let that be cold comfort to crypto, whether or not institutions like Mozilla are on the way to adoption.
– D.K.
@danielgkuhn
daniel@coindesk.com