“Mastodon Vulnerability Exposed: How a Rivalling Spam Raid on Twitter/X Spotlights the ‘Fediverse'”

A spam attack that impacted the open source X rival Mastodon, Misskey, and other apps highlights how the decentralized social web, also known as the Fediverse, is open to abuse. Over the past several days, attackers have targeted smaller Mastodon servers, taking advantage of open registrations to automate the creation of spam accounts. While this is not the first spam attack that has impacted the Fediverse, Rochko notes that only larger servers like Mastodon.social had been targeted previously. The spam attack highlighted one of the weaknesses that comes with how the Fediverse is structured. It makes me want to walk away and give up,” wrote one Mastodon server admin sam@urbanists.social.
Moz Whatismastodon 1200x800 1 1 2048x1365 1

A wave of spam has recently hit the decentralized social web, specifically targeting Mastodon, a leading rival of the open-source platform X. Other apps such as Misskey have also been affected, highlighting a major issue with the Fediverse – the potential for abuse. The attack, lasting for several days, exploited open registrations on smaller Mastodon servers and automated the creation of spam accounts. Mastodon’s founder and CEO, Eugen Rochko, confirmed the attack in a weekend post, urging server administrators to switch to approval mode and block disposable email providers to combat the issue.

While this is not the first time that the Fediverse has been hit with spam attacks, Rochko noted that previously only larger servers like Mastodon.social had been targeted. As this server is managed by Mastodon’s own team, they were able to handle the attacks themselves. However, this time the spammers turned their sights on smaller and abandoned servers that offered open registration, taking advantage of the lack of oversight to quickly create accounts and spread spam.

The attack was fully automated once the perpetrators learned how to script it, and it was reportedly sparked by a dispute between factions on Discord. According to reports on Mastodon, the spammers also targeted Misskey, another open-source blogging platform in the Fediverse that utilizes the ActivityPub protocol. This protocol allows users to interact with accounts on other federated social platforms such as Pixelfed and PeerTube.

The attack exposed a weakness in the structure of the Fediverse. As a decentralized network, anyone can install Mastodon on their own server, creating their own instance or node that connects with other federated social networking servers via ActivityPub. This means that smaller Mastodon servers, often run by enthusiasts as hobbyist projects, are vulnerable to attacks like this one. Server administrators who were not regularly monitoring their servers and had open registrations were easy targets for the spammers.

As one server admin, @Chris@mastodon.cosmicnation.co, pointed out, “Some instance admins got reminded that they had an instance. And we also learned there are A LOT of abandoned instances out there with their door wide open for registration without approval.”

In response to the attack, server admins collaborated to create lists of abandoned instances that others could use as a blocklist to protect their users from the spam. Some servers simply shut down while their admins waited for the attack to pass, while others abandoned Mastodon altogether.

Third-party Mastodon app Ivory, from Tapbots, issued an emergency update with a custom filter named “Potential Spam” that allowed users to mute spam mentions. However, this filter did not prevent spam push notifications, which proved to be a major source of frustration for impacted users.

As of this morning, the attack seems to be winding down. Technologist and researcher Tim Chambers (@tchambers@indieweb.social) noted that for the first time in four days, he had less than 40 spam accounts to suspend on the server he manages.

While some see the attack as a wake-up call for the Fediverse to address this vulnerability, others are angry with Rochko for his initial lack of response. “This is ruining my Mastodon experience for me. It makes me want to walk away and give up,” wrote one Mastodon server admin, sam@urbanists.social. They also expressed frustration with Eugen’s silence on the issue.

Mastodon has been contacted for comment, but has not yet provided one.

In a similar space, Instagram Threads, another rival of Twitter and X, has plans to federate using ActivityPub. In recent months, Mastodon’s usage has been trending downward. In October of last year, it had approximately 1.8 million monthly active users, but by the time Threads launched publicly, this number had dropped to 1.5 million. With the recent launch of yet another decentralized social network, Bluesky, based on a different protocol and not yet part of the Fediverse, Mastodon’s usage has decreased further to 1 million monthly active users. This is reflected on the company’s homepage. In comparison, the wider Fediverse, including Mastodon and other apps, boasts a total of 2.9 million monthly active users. However, Threads’ entry into this space has the potential to drastically overshadow other Mastodon servers and could potentially lend Meta’s technical expertise in areas such as spam prevention. However, there are concerns that Meta’s end goal may be to dominate the Fediverse by becoming the default client for users and utilizing its vast resources to scale adoption of its app.

The above article has been rewritten and formatted using HTML tags to ensure a structured and easily readable version.

A wave of spam has recently hit the decentralized social web, specifically targeting Mastodon, a leading rival of the open-source platform X. Other apps such as Misskey have also been affected, highlighting a major issue with the Fediverse – the potential for abuse.

Over the past several days, the attackers have targeted smaller Mastodon servers, taking advantage of open registrations to automate the creation of spam accounts. Mastodon founder and CEO Eugen Rochko confirmed the attack in a post over the weekend, adding that Mastodon server administrators should switch over registration to approval mode and block disposal email providers to help combat the problem.

  • Mastodon’s open registrations made it vulnerable to spam attack
  • This was not the first time the Fediverse has been hit with spam
  • Larger servers like Mastodon.social were targeted previously
  • The recent attack targeted smaller and abandoned servers with open registration
  • The attack was fully automated once the perpetrators learned to script it
  • Attack appears to have been sparked by a dispute on Discord
  • Spam affecting other apps like Misskey as well

The decentralized structure of the Fediverse, allowing anyone to install Mastodon on their own server as a node, made smaller servers susceptible to these types of attacks. Hobbyist projects run by enthusiasts may not have been monitoring their servers regularly or had open registrations, making them easy targets for the spammers.

As one server admin, @Chris@mastodon, pointed out, “Some instance admins got reminded that they had an instance. And we also learned there are A LOT of abandoned instances out there with their door wide open for registration without approval.”

In response, server admins worked together to create lists of abandoned instances that others could use as a blocklist to protect their users from the spam. Some servers were simply shut off while others abandoned Mastodon altogether.

Third-party Mastodon app Ivory, from Tapbots, released an emergency update with a custom filter named “Potential Spam” that allowed users to mute spam mentions. However, the filter did not prevent spam push notifications, causing frustration for impacted users.

As of this morning, the attack seems to be winding down. Technologist and researcher Tim Chambers (@tchambers@indieweb.social) noted that this was the first day in four days that he had less than 40 spam accounts to suspend on the server he admins.

While some see the attack as a wake-up call for the Fediverse to address this vulnerability, others are angry with Rochko for his initial lack of response. “This is ruining my Mastodon experience for me. It makes me want to walk away and give up,” wrote one Mastodon server admin, @sam. They also expressed frustration with Eugen’s silence on the issue.

Mastodon has been contacted for comment, but has not yet provided one.

In a similar space, Instagram Threads, another rival of Twitter and X, has plans to federate using ActivityPub. In recent months, Mastodon’s usage has been trending downward. In October of last year, it had approximately 1.8 million monthly active users, but by the time Threads launched publicly, this number had dropped to 1.5 million. With the recent launch of yet another decentralized social network, Bluesky, based on a different protocol and not yet part of the Fediverse, Mastodon’s usage has decreased further to 1 million monthly active users. This is reflected on the company’s homepage. In comparison, the wider Fediverse, including Mastodon and other apps, boasts a total of 2.9 million monthly active users. However, Threads’ entry into this space has the potential to drastically overshadow other Mastodon servers and could potentially lend Meta’s technical expertise in areas such as spam prevention. However, there are concerns that Meta’s end goal may be to dominate the Fediverse by becoming the default client for users and utilizing its vast resources to scale adoption of its app.

Avatar photo
Ava Patel

Ava Patel is a cultural critic and commentator with a focus on literature and the arts. She is known for her thought-provoking essays and reviews, and has a talent for bringing new and diverse voices to the forefront of the cultural conversation.

Articles: 888

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Trending now

Baby wearables, texts from dogs, and E-Ink cars • TechCrunch
The Future of Babies: Wearables, Text Messages from Furry Friends, and E-Ink Automobiles
Airmyne Prototype
AirMyne Harnesses Geothermal Energy for Direct Air Carbon Capture Expansion
Atomos tows a $16M load of funding to create tugboats in space • TechCrunch
Atomos Takes Off With $16M For Tugboats in Space
Instagram now lets you bookmark posts with friends and store them in a dedicated space
Create and Explore a Saved Space with Instagrams New Bookmarking Feature