The API of Twitter alternative Spoutible could be used to obtain data from users. The API leaked private data, in addition to hashed passwords, 2fa secrets and password reset tokens. The leak has now been repaired.
Details about the data breach were published by security researcher Troy Hunt of Have I Been Pwned. He did that after Spoutible had already fixed the problem. Hunt then discovered that it was possible to obtain user names, usernames, email addresses, IP addresses and phone numbers via the Spoutible API. According to the security researcher, this has happened before in similar ‘scraping incidents’ with Trello and Facebook.
However, the security researcher also discovered that the API could be used to obtain hashes of Spoutible passwords. These were protected with bcrypt, although simple and short passwords can be cracked relatively easily with it.
Hunt was also able to obtain the 2fa-secret of a test account he created. That is the seed used to generate 2fa codes. Hackers can add that secret to a 2fa app and thus obtain authentication codes. This allows them to bypass 2fa completely. Hunt successfully tried this with his own test account, together with another Have I Been Pwned employee.
It was also possible to obtain users’ 2fa backup codes, according to Hunt. These are also encrypted with bcrypt, but they are six-digit codes whose encryption can be cracked within a few minutes. Finally, the API also leaked full tokens that can be used to reset an account password.
Spoutible confirms the leak on its website and reports that it has now been resolved. According to the platform, ’email addresses and some telephone numbers’ were scraped. “Decrypted passwords have not been captured,” the social media company wrote. Spoutible recommends that users change their password and reset 2fa settings.
Left: Data from the Spoutible API. Right: an HIBP employee managed to generate 2fa tokens via leaked secret. Source: Troy Hunt