Spoutible’s API Leaked 2FA Seeds, Password Reset Tokens

Microblogging site Spoutible fixed an API flaw that leaked user data, including hashed passwords, password reset tokens and information that could be used to bypass two-factor authentication (2FA).

Troy Hunt, a Microsoft Regional Director and MVP best known as the creator of data breach information website “Have I Been Pwned?,” first reported the flaw to Spoutible on Feb. 4 and the vulnerability was fixed a few hours later, Hunt wrote on his blog Monday.

Hunt said the Spoutible flaw was brought to his attention last week by someone who sent him a file containing 207,000 records scraped from the site’s API.

Spoutible Founder and CEO Christopher Bouzy, who has previously promoted the platform as an alternative to X (formerly known as Twitter), released a statement Tuesday informing users about the data leak and how to secure their accounts.

“We are taking this matter extremely seriously. We have already implemented additional security measures to prevent future incidents, and we will notify the appropriate authorities, including the FBI,” Bouzy wrote.

Spoutible users were advised to change their passwords, reset 2FA and continue to monitor their accounts for suspicious activity.

Spoutible API vulnerability could enable account takeover

Hunt outlined the Spoutible vulnerability in his blog post, expressing shock at the types of information available publicly via the API.

In addition to email addresses, IP addresses and phone numbers (for users that linked a phone number to their account), the API leaked bcrypt hashed passwords, 2FA seeds, bcrypt hashed 2FA backup codes and password reset tokens.

While the passwords and backup codes were not leaked in an unencrypted format, Hunt pointed out that bcrypt hashes are relatively easy to crack. He demonstrated this by challenging his followers on X to decrypt the hash of a six-digit 2FA backup code, which one of his followers successfully did in under three minutes.  

Hunt also noted that Spoutible has few requirements for password strength, only mandating that passwords be between six and 20 characters.

In addition, Hunt demonstrated how the 2FA seeds, or “2fa_secret” field items, leaked by the API could be used to generate a one-time password as a second factor. With this information, along with the 2FA backup code, even accounts with 2FA activated were vulnerable to takeover.

Lastly, the password reset token exposed by the API would enable anyone to take over an account completely just by changing the account password. Users would not receive an email informing them their password was changed, nor was there a way for them to view all the logged in sessions on their account, Hunt wrote.

In addition to reporting the issue to Sproutible, Hunt added all 207,000 of the scraped email addresses sent to him to the searchable breach database at “Have I Been Pwned?”

Spoutible CEO defends platform, alleges ‘malicious’ data scraping

Hunt praised Spoutible for its “excellent” response time in fixing the flaw and said Bouzy’s communication with him regarding the data leak was “commendable.”

Many responses to the security update similarly praised the company and CEO’s swift response, while some criticized the fact that Bouzy’s statement only said “email addresses and some cell phone numbers” were exposed.   

On his own Spoutible and X accounts, Bouzy defended the platform and accused the person who sent the scraped records to Hunt of conducting an “attack” on the site.

“Attacks by malicious actors on Spoutible are not an anomaly, mirroring incidents on established platforms like Twitter, Facebook, Instagram, and TikTok among many others, which have seen the leak of hundreds of millions of records despite their vast resources,” Bouzy wrote on X.

He continued: “The distinct difference in Spoutible’s case was our swift and decisive action—rectifying the situation promptly and informing our users within a matter of hours, in start contrast to the delayed responses of days, weeks, months, or even years seen elsewhere.”

Bouzy also questioned the motives of the person who reached out to Hunt rather than contacting the site itself.

“A person doesn’t need to scrape 200k+ accounts to reveal a vulnerability. They could’ve easily contacted us and/or Troy outlying the security flaw. So to suggest that the scraping of the data and giving it to Troy wasn’t malicious is MAGA delusion,” Bouzy wrote on Spoutible.

READ MORE HERE