Skip to main content

Mastodon Privacy for Small Instances

A screenshot of the author's Mastodon instance available at Screenshot shows the instances logo, as well as a user count of 5 and a tagline of "A return to an older and better internet"
Mastodon, one of many social media platforms on the Fediverse, has attracted a lot of attention since the purchase of Twitter by Elon Musk. 

With some instances growing by tens of thousands of users in as little as a week, and new personal instances popping up everywhere, I thought I'd take a moment to look at some of the security and privacy features. 

As instances are usually ran by a tech savvy individual and service a small group of friends, family, and colleagues, it seems imperative that privacy be at the forefront, especially for marginalized groups. 

To that end, Mastodon provides several features to protect users of an instance. 

User Options

One notable user feature is "hide social graph" which blocks a user's follows and followers from being visible. 

Hide your social graph checkbox is shown

 While this will keep users from being able to see exactly who you follow or who follows you, with absolute certainty, this data may still be reasonably accessible and associated with you. 

Let's look at the options available to administrators. 

Admin Options

Within the Server Administration options under Discovery, server admins may choose to hide the Local and Federated timelines. 

Available at: 
- domain.TLD/public/local  
- domain.TLD/public 

Allow unauthenticated access to public timelines checkbox is shown

While users may not know this option exists, testing of our own instance at has shown that if unchecked, users' follows can be determined with a great deal of confidence. 

Why Does This Happen?

Though Mastodon has an overwhelming number of user privacy protections, it is nonetheless a social media network. And like any network, benefits from the addition of nodes and content. 

The Federated timeline, when utilized by a heavily populated instance, serves to bring in and showcase an outstanding amount of new content that users may be interested in. This follows, as you are likely occupying an instance with people with shared hobbies, political, career, or geographic interests. 

The Federated timeline does so by showing users all content currently flowing into the server from across the Fediverse. Every post and boost from every followed user on any instance appears here. 

However, users who have opted to hide their social graph are not opted out of the Federated timeline. 

This creates an opportunity where misconfiguration or unintentional configuration by admins may result in users follows being identifiable. 

What can I do? 

If you're on a small instance and want to protect your privacy, reach out to your admins. Feel free to point them to this post and voice your concerns. Federation is a great benefit of the move away from walled gardens, but if your threat profile includes being able to mask your followers, ask them to change the settings. 

If you're running an instance, assess your users'
 needs and preferences. Is a publicly accessible federated timeline essential to the health and safety of your instance? Likely not, in that case, update your settings! 


Users have the opportunity to enjoy a safe and private social media experience on the fediverse. But like any other software, misconfigurations or unintentional configurations can put the safety and privacy of users at risk. 

Having a publicly viewable federated timeline, while beneficial to prospective users, may disproportionately affect users' safety and privacy. 

You can find me on the Fediverse at

Popular posts from this blog

LibWebP (CVE-2023-4863)

Here is a non-exhaustive list of possible mitigations to prevent the exploitation of CVE 2023-4863 in the LibWebP library. This library has a heap buffer overflow available across all operating systems, most browsers, an exceptional number of Electron framework applications. This CVE is rated a 10 after previously being rated 8.8. This was due to an original disclosure from Google stating that Chrome was the only effected application. After investigation, it was discovered that all instances of the LibWebP library were vulnerable across all platforms. A similar CVE ( 2023-5217 ) is pending analysis for the VP8 webstream video format (a sister library to libwep.) As working proof-of-concepts are generally available to the public and Google and Apple both acknowledge threat actors and spyware vendors making use of the vulnerability, it is essential that you begin reviewing and patching all business critical applications. Patch Browsers, All of them All major and minor browsers acr

Show And Tell

Once a week, our security team gathers everyone into a meeting and shares the last week’s worth of security related news and any new security initiatives. This one hour may be the most valuable meeting we attend and has the greatest impact on successful security outcomes. What is it? We call ours a Security Show & Tell. (You can call it whatever fun and exciting name fits your corporate culture.) Regardless of the name, the goal is to set aside an hour each week to share three kinds of security stories and our response to them. Stories that are in the news. Stories that impact our work. Stories that impact our lives. Author’s Note: There’s some helpful tips below on how to gather these stories.  Why you should do it There’s a lot of great reasons to do this, but I want to drive home a few really important ones. How many times has this happened to you? You wake up, open , and begin scrolling only to find out that $Vendor has a nasty zero-day and organiza

Savory Dutch Babies

Ingredients: 1/4 Stick butter 1/2C AP flour 3/4C room temp milk 3 room temp eggs Salt pepper mace nutmeg allspice etc if you want it Blend it or whisk it until homogeneous  Put a castiron in a cold oven at 425°.  Remove when preheat finishes and melt in a 1\4 stick of butter.   Pour in batter.  Top with parm and fresh herbs.  Cook 15m.