\n<\/p>\n
Security consultant and Have I Been Pwned creator Troy Hunt has detailed a vulnerability in the API of Spoutible, a social platform that emerged following Elon Musk\u2019s takeover of Twitter, that could allow hackers to take full control of users\u2019 accounts. <\/p>\n<\/div>\n
After someone alerted Hunt to the vulnerability, he discovered that hackers could exploit<\/a> Spoutible\u2019s API to obtain a user\u2019s name, username, and bio, along with their email, IP address, and phone number. Spoutible has since addressed the vulnerability, writing in a post on its site<\/a> that it didn\u2019t leak decrypted passwords or direct messages, while confirming the \u201cinformation scraped included email addresses and some cell phone numbers.\u201d It invited anyone who still wants to use the service back for a \u201cspecial Pod session\u201d at 1PM ET. Both Spoutible and Hunt recommend that users change their passwords and reset 2FA.<\/p>\n<\/div>\n As mentioned by Hunt, this isn\u2019t entirely uncommon, as seen in similar data-scraping incidents on platforms like Facebook<\/a> and Trello<\/a>.<\/p>\n<\/div>\n However, Hunt discovered something much more alarming: bad actors could also use the exploit to obtain a hashed version of users\u2019 passwords. While they were protected with bcrypt, short or weak passwords could be fairly easy to decipher, and the service blocked people from setting longer passwords that would be harder to crack. <\/p>\n<\/div>\n And, to top it all off, Hunt found that the API returned the 2FA code used to sign in to someone\u2019s account, as well as the reset tokens generated to help a user change a forgotten password. This could let hackers easily gain access to and hijack someone\u2019s account without alerting them to the breach.<\/p>\n<\/div>\n According to Hunt, the exploit exposed the emails of around 207,000 users. That\u2019s nearly everyone on the whole platform, as a June 2023 report from Wired<\/em><\/a> indicated Spoutible had 240,000 users.<\/p>\n<\/div>\n