The Verge:

Security consultant and Have I Been Pwned creator Troy Hunt has detailed a vulnerability in the API of Spoutible, a social platform that emerged following Elon Musk’s takeover of Twitter, that could allow hackers to take full control of users’ accounts.

After someone alerted Hunt to the vulnerability, he discovered that hackers could exploit Spoutible’s API to obtain a user’s name, username, and bio, along with their email, IP address, and phone number. Spoutible has since addressed the vulnerability, writing in a post on its site that it didn’t leak decrypted passwords or direct messages, while confirming the “information scraped included email addresses and some cell phone numbers.” It invited anyone who still wants to use the service back for a “special Pod session” at 1PM ET. Both Spoutible and Hunt recommend that users change their passwords and reset 2FA.

As mentioned by Hunt, this isn’t entirely uncommon, as seen in similar data-scraping incidents on platforms like Facebook and Trello.

However, Hunt discovered something much more alarming: bad actors could also use the exploit to obtain a hashed version of users’ passwords. While they were protected with bcrypt, short or weak passwords could be fairly easy to decipher, and the service blocked people from setting longer passwords that would be harder to crack.

And, to top it all off, Hunt found that the API returned the 2FA code used to sign in to someone’s account, as well as the reset tokens generated to help a user change a forgotten password. This could let hackers easily gain access to and hijack someone’s account without alerting them to the breach.

According to Hunt, the exploit exposed the emails of around 207,000 users. That’s nearly everyone on the whole platform, as a June 2023 report from Wired indicated Spoutible had 240,000 users.

Source link

MuskWire TLDR:

Security consultant Troy Hunt has identified a vulnerability in the API of Spoutible, a social platform that emerged after Elon Musk’s takeover of Twitter, which could potentially allow hackers to gain full control of users’ accounts. After being alerted to the vulnerability, Hunt discovered that hackers could exploit Spoutible’s API to obtain users’ personal information, including their name, username, bio, email, IP address, and phone number. Spoutible has since addressed the vulnerability and confirmed that the leaked information included email addresses and some cell phone numbers, but not decrypted passwords or direct messages. Both Spoutible and Hunt recommend that users change their passwords and reset two-factor authentication. This incident is not uncommon, as similar data-scraping incidents have occurred on platforms like Facebook and Trello. Additionally, Hunt found that bad actors could also access hashed versions of users’ passwords, which could be easily deciphered for short or weak passwords. The API also returned the 2FA code and reset tokens, making it easy for hackers to hijack accounts without the user’s knowledge. The exploit exposed the emails of around 207,000 Spoutible users, nearly the entire user base of the platform.