Spoutible API exposed encrypted password reset tokens, 2FA secrets of users

2024-02-06 14:26

A publicly exposed API of social media platform Spoutible may have allowed threat actors to scrape information that can be used to hijack user accounts.

The problem with the Spoutible API. Security consultant Troy Hunt has been tipped off about the API by an individual who shared a file with 207,000 Spoutible user records - supposedly scraped via the API - and an URL that would allow Hunt to do the same with his own account.

The risk is compounded when a service allows users to set weak passwords - and Spoutible does that, he found.

With a password in hand and the seed to generate the second authentication factor or the un-hashed 2FA backup code, an attacker can easily gain access to the user's account.

Finally, with the exposed password reset token, an attacker could immediately take over ANY user account by performing a password reset.

To add insult to injury, users have no way of invalidating or even seeing active sessions, which means that, once inside, an attacker may have prolonged access to the account even if the legitimate user changes the password.

News URL

https://www.helpnetsecurity.com/2024/02/06/spoutible-api-data-leak/

#2FA #API #encrypted #token