Twitter alternative spouts a massive leak

Security consultant and Have I Been Pwned creator Troy Hunt has detailed a vulnerability in the API of Spoutible, a social platform that emerged following Elon Musk’s takeover of Twitter, that could allow hackers to take full control of users’ accounts.

After someone alerted Hunt to the vulnerability, he discovered that hackers could exploit Spoutible’s API to obtain a user’s name, username, and bio, along with their email, IP address, and phone number. Spoutible has since addressed the vulnerability, writing in a post on its site that it didn’t leak decrypted passwords or direct messages, while confirming the “information scraped included email addresses and some cell phone numbers.” It invited anyone who still wants to use the service back for a “special Pod session” at 1PM ET. Both Spoutible and Hunt recommend that users change their passwords and reset 2FA.

As mentioned by Hunt, this isn’t entirely uncommon, as seen in similar data-scraping incidents on platforms like Facebook and Trello.

However, Hunt discovered something much more alarming: bad actors could also use the exploit to obtain a hashed version of users’ passwords. While they were protected with bcrypt, short or weak passwords could be fairly easy to decipher, and the service blocked people from setting longer passwords that would be harder to crack.

And, to top it all off, Hunt found that the API returned the 2FA code used to sign in to someone’s account, as well as the reset tokens generated to help a user change a forgotten password. This could let hackers easily gain access to and hijack someone’s account without alerting them to the breach.

According to Hunt, the exploit exposed the emails of around 207,000 users. That’s nearly everyone on the whole platform, as a June 2023 report from Wired indicated Spoutible had 240,000 users.