Mastodon Server Causes Data Leak Due to Insufficient Configuration
A data leak at Mastodon, a decentralized social network, has occurred due to insufficient server configuration rather than an external intrusion. The problem allowed every user of the service access to view data uploaded to files.mastodon.social. While the issue was discovered and resolved quickly by Mastodon, the leak had existed since the beginning of February due to recent infrastructure upgrades.
Typically, Mastodon protects access to files by using long, randomly generated file names so that only those with the link can access them. However, this mechanism was compromised during the infrastructure upgrade, and much of the data that was accessible in this way is publicly available.
However, data exports downloaded by users also include non-publicly shared posts, direct messages, and attachments. Mastodon has stated that this archive data was immediately deleted once the issue was discovered, but it was not possible to prevent access that had already taken place.
Although the temporarily public data exports only include a user’s public profile, favorites, bookmarks, posts, and media attachments, Mastodon has reassured users that e-mail addresses and other personal identification data were not included in the leak. No further action is required from users.
