Security consultant and creator of Have I Been Pwned, Troy Hunt, has detailed a vulnerability in the API of Spoutible, a social platform that emerged after Elon Musk’s takeover of Twitter, that could allow hackers to take full control of Twitter accounts. users.
After someone alerted Hunt to the vulnerability, he discovered that hackers could exploit Spoutible’s API to obtain a user’s name, username, and bio, along with their email, IP address, and phone number. Spoutible has since addressed the vulnerability, writing in a post on its site that it did not discover any decrypted passwords or direct messages, while confirming “deleted information includes email addresses and some mobile phone numbers.” He invited anyone who still wants to use the service again for a “special Pod session” at 1pm ET. Both Spoutible and Hunt recommend that users change their passwords and reset 2FA.
As noted by Hunt, this is not entirely unusual, as seen in similar data harvesting incidents on platforms like Facebook and Trello.
However, Hunt discovered something far more alarming: bad actors could also use the exploit to obtain a hashed version of users’ passwords. While they were protected with bcrypt, short or weak passwords could be fairly easy to crack, and the service blocked people from entering longer passwords that would be harder to crack.
And, to top it all off, Hunt found that the API returned the 2FA code used to log into one’s account, as well as reset tokens designed to help a user change a forgotten password. This can allow hackers to easily gain access and hijack someone’s account without alerting them to the breach.
According to Hunt, the exploit exposed the emails of about 207,000 users. This is almost everyone across the platform, as a June 2023 report from Wires showed that Spoutible had 240,000 users.
