February 6, 2024 By Helga Labus
A publicly exposed API of social media platform Spoutible may have allowed threat actors to scrape information that can be used to hijack user accounts.
The problem with the Spoutible API
Security consultant Troy Hunt has been tipped off about the API by an individual who shared a file with 207,000 Spoutible user records – supposedly scraped via the API – and an URL that would allow Hunt to do the same with his own account.
The amount and type of information returned to that API query shocked him: not only did the API reveal his username, first and last name, user ID and the content of his bio – “pretty standard stuff” – but the email, IP address, verified phone number associated with the account, as well.
Also – most alarmingly! – it revealed:
- The bcrypt hash of his password
- The seed for generating a one-time password (as a second authentication factor) for accessing the account
- The bcrypt hash of his 2FA backup code
- The password reset token for his account
