We're talking about an account that was created through normal means, that is not really distinguishable from just any random account, but contains something like "hello 1.2.3.4|" in its bio. The way they seem to be used is that some botnet software checks the profile to get its commands that way. It is not a Mastodon vulnerability and I don't think its specific to Mastodon either.