Dozens of new social networks pop up every year, but not a single one of them has been able to dethrone giants like Facebook, Instagram, and LinkedIn.
A Twitter alternative called Mastodon has been gaining traction, however. But how does Mastodon work? More importantly, is it safe? Is it more secure and private than Twitter?
How Does Mastodon Work?
Mastodon is a cross between Twitter and Discord. Just like Twitter, it is a microblogging platform. But unlike Twitter, it is decentralized, and hosts hundreds of different servers. The servers are typically centered around a single theme (e.g. politics, technology) and administered by volunteer moderators.
These servers (instances) are sorted by topic, language, geographical region, and so on. Each has its own rules and sign-up process. Users can join as many as they want, and follow people across different sections, so one does not need special access to view posts and communicate with others.
Once you sign up to Mastodon (you need a username, a password, and an email address to verify your account), you can edit your profile, change preferences, follow other users, and such—just like on Twitter.
In short, that is how Mastodon works. It is a unique social network, but the interface is pretty intuitive, and you’ll probably get used to it in no time if you’ve ever used similar platforms.
Is Mastodon Secure?
Mastodon is free, open-source, and available on all popular operating systems. It is crowdfunded and does not contain advertisements, which is one major advantage it has over other social networking platforms.
The decentralized, quasi-democratic system Mastodon is built on is also its weak point. Unlike other social networks, it does not have a large team of people handling cybersecurity, so what it does have are major vulnerabilities.
When billionaire Elon Musk took control of Twitter in November 2022, Mastodon saw a major influx of new users. This also attracted the attention of the cybersecurity community, with prominent researchers testing the platform for vulnerabilities. Some immediately discovered significant issues that could have resulted in serious breaches.
For example, PortSwigger researcher Gareth Heyes discovered an HTML vulnerability that threat actors could have exploited to steal user credentials, as reported by Security Week. MinIO’s expert Lenin Alevski, meanwhile, spotted a flaw that could have been exploited to download files shared via private messages. Ironically, these two vulnerabilities were found in the Infosec.exchange server.
Moreover, independent cybersecurity researcher Anurag Sen discovered an unknown threat actor scraping data belonging to 150,000 Mastodon users. Prior to that, penetration tester Joe Helle found a flaw that would have enabled brute force attacks.
To Mastodon’s credit, all of these vulnerabilities were fixed shortly after they were spotted. However, it seems reasonable to assume that more flaws will be discovered in the future, especially if Mastodon’s user base continues to grow, and as cybersecurity experts spend more time investigating the platform.
Fortunately, there are things individual users can do to secure their accounts. For example, you can create a strong password and enable two-factor authentication, limit who views your posts, block domains and users, edit preferences, and so forth.
Mastodon vs. Twitter: Which Platform Is Safer?
Twitter was launched in 2006, while Mastodon has been around since 2016.
Unsurprisingly, Twitter has suffered more security breaches. It was hit by quite a few early on, which prompted the US Federal Trade Commission (FTC) to bring charges against the company for failing to secure users’ personal information. The lawsuit was settled in 2010, when Twitter committed to establishing a strong security model, and agreed to annual audits.
Hundreds of verified, high-profile Twitter accounts have been hacked over the years. Most notably, accounts belonging to former US President Barack Obama, Microsoft founder Bill Gates, and dozens of other prominent individuals were hacked in 2020 by a threat actor running a cryptocurrency scam. Similar hacks of verified accounts took place a year later.
In August 2022, Twitter admitted that an update it had introduced a year earlier allowed one threat actor to link email addresses and phone numbers to user accounts. The bug was reported through the company’s bug bounty program in January 2022, and patched up afterwards.
Is Mastodon More Private?
Clearly, both Twitter and Mastodon have had their fair share of security issues. What about privacy though? How much data do these companies collect, and is one worse than the other?
Overall, Mastodon is better than Twitter when it comes to respecting user privacy, because Twitter collect a large amount of personal data, mostly for advertising purposes. Precisely because Mastodon does not allow ads, the incentive to collect user data is simply not there.
Then there are the issues of speech and content moderation. With Musk at the helm, Twitter has seemed more open to relaxing its once-strict rules. Mastodon, on the other hand, is more restrictive by default—because each server has its own rules, administrators can impose restrictions however they deem fit. They can freeze, limit, or permanently suspend accounts. Additionally, a server administrator can ban domains, email servers, and IP addresses.
Twitter or Mastodon: Take Your Pick
It remains to be seen if Mastodon will ever reach Twitter’s popularity, but it could evolve into a proper tech giant if its user base continues to grow at a healthy pace in the coming years.
From a cybersecurity perspective, there are some differences between Twitter and Mastodon, but neither platform is truly safe. The good news is, there are several secure social networks that respect user privacy, so make sure you check them out.