Spoutible API exposed encrypted password reset tokens, 2FA secrets of users

A publicly exposed API of social media platform Spoutible may have allowed threat actors to scrape information that can be used to hijack user accounts.

The problem with the Spoutible API

Security consultant Troy Hunt has been tipped off about the API by an individual who shared a file with 207,000 Spoutible user records – supposedly scraped via the API – and an URL that would allow Hunt to do the same with his own account.

The amount and type of information returned to that API query shocked him: not only did the API reveal his username, first and last name, user ID and the content of his bio – “pretty standard stuff” – but the email, IP address, verified phone number associated with the account, as well.

Also – most alarmingly! – it revealed:

• The bcrypt hash of his password
• The seed for generating a one-time password (as a second authentication factor) for accessing the account
• The bcrypt hash of his 2FA backup code
• The password reset token for his account

“I cannot think of any reason ever to return any user’s hashed password to any interface, including an appropriately auth’d one where only the user themselves would receive it. There is never a good reason to do this,” Hunt noted.

“And even though bcrypt is the accepted algorithm of choice for storing passwords these days, it’s far from uncrackable,” he added. An attacker armed with a small dictionary of weak, predictable passwords can easily crack some of the hashes.

The risk is compounded when a service allows users to set weak passwords – and Spoutible does that, he found.

With a password in hand and the seed to generate the second authentication factor (the one-time password) or the un-hashed 2FA backup code, an attacker can easily gain access to the user’s account.

Finally, with the exposed password reset token, an attacker could immediately take over ANY user account by performing a password reset.

“After changing the password, no notification email was sent to the account holder so just to make things even worse, if someone’s account was taken over using this technique they’d have absolutely no idea until they either realised their original password no longer worked or their account started spouting weird messages,” Hunt explained.

To add insult to injury, users have no way of invalidating or even seeing active sessions, which means that, once inside, an attacker may have prolonged access to the account even if the legitimate user changes the password.

What should (all) Spoutible users do?

After Hunt notified Spoutible founder Christopher Bouzy of the findings, the development team quickly modified the API to return only certain non-sensitive user data.

The company has publicly confirmed the incident, though they only said that “decrypted passwords and direct messages were not disclosed,” and that “the information scraped included email addresses and some cell phone numbers”.

Hunt has added the 207,114 scraped emails to the Have I Been Pwned? service, where Spoutible users can check whether their data has been compromised.

They are advised to change their account password, reset their 2FA, and monitor the account for unusual account. “If you enabled cross-posting to Mastodon or Bluesky, out of an abundance of caution you should invalidate the keys on those platforms,” Hunt added.