How secure a Twitter replacement is Mastodon? Let us count the ways

Mastodon seems to be the most popular replacement for Musk's followers. The number of monthly active users on Mastodon has more than tripled from 1 million to 3.5 million in the last month.

This increase raises questions about the security of the new platform. Mastodon is built on a model of independent server known as instances. It is similar to email or internet relay chat where security depends on the admin who configured it and maintains each individual server.

There have been more than 17,000 instances in the last month. These instances are run by volunteers who may or may not know how to protect themselves. The difficulty of configuring and maintaining instances leaves a lot of room for mistakes that can put user passwords and email addresses at risk. At least it had a staff with a deep background in security.

Security cons

Mike Lendvay is a certified information security professional and certified cloud security professional who runs the Mastodon instance You've had a lot of server go up very quickly, and there's going to be a lot of skill level in the people who administer them.


The software that powers the Mastodon platform is one of the concerns. The European Commission sponsored a bug bounty program that resulted in patches for 35 valid bug submissions. The misconfiguration that allowed for the download and deletion of all files on the server was discovered by a researcher earlier this month.

Serious security weaknesses are almost certainly present because of the lack of an audit and years of robust security testing.

A researcher this month discovered a server that was able to steal the data of more than 150,000 users from a server that was not password protected. The data was limited to account names, display names, profile pictures, following count, and follower count. One of the vulnerabilities discovered this month made it possible to steal users' passwords by injecting specially craftedHTML into the site.

Mastodon developers and admins have been quick to patch the vulnerabilities once reported. Other platforms have teams of security engineers, researchers, and compliance specialists who make sure their platform is up to date. Mastodon can't duplicate this. It's not realistic to expect volunteers to perform at the same level as a centralized platform.

The lack of dedicated security teams might be a problem, particularly in the event of a high-security vulnerability in the software ecosystem Mastodon relies on. The platform is built on Ruby on Rails, Postgres, and Redis. On the one hand, the combination of these three open source apps is tried and true, with use by notable platforms including GitHub, GitLab, Shopify, and Discourse.

The HeartBleed bug in the open source OpenSSL app caused the disclosure of all kinds of sensitive data from banking websites and other high-value targets, and it could happen to one of those apps.


Mastodon software doesn't have an update-availability feature.

You need to check the releases personally. I try to do that every week. I think they would hear it through the grapevine. I don't know what the consistency will be, I've seen different versions run.

Mastodon is likely to be more vulnerable to distributed denial-of-service attacks, which knock sites offline by bombing server with more traffic or commands than they can handle. It is considered a basic cost by centralized platforms. There aren't likely to be the same resources. Mastodon will likely use this susceptibility to silence critics if it continues to grow.

Stealing data and hacking accounts of influential people are just some of the things that a hacker could do. The hacker can impersonate influential users.

There are vulns in the ActivityPub protocol that will allow someone to broadcast a false toot, according to one user. There will be some other issues found.

Mastodon is more vulnerable to misinformation campaigns if they run at scale.

There aren't many protections against harassment on personal security. is one of many instances that aren't well-moderated. A well-moderated instance can be overwhelmed by attacks.