A Spoutible user alleges the firm erased their postings after they pressed CEO Christopher Bouzy to be more transparent about its security concerns. The startup’s odd security problem tale over the last week continues with the accusations, which the business rejects.
Bouzy, who sought to make Twitter more inclusive and kinder, said last week that his firm had revealed users’ emails and phone numbers. However, security researcher Troy Hunt, creator of the Have I Been Pwned website, found that Spoutible’s developer API was also exposing information that bad actors could have used to steal users’ accounts without their knowledge.
Hunt explained his more severe claim on his website, stating that the Spoutible API provided the bcrypt hash of any other user’s password, 2FA secrets, and a token that could be used to reset a user’s password.
As The Verge observed, this vulnerability was extremely exploitable and might have enabled a malicious actor to steal a user’s account without their knowledge. Hunt learned about this from a third party who claimed to have scraped Spoutible’s data. The misconfigured API grabbed 207,000 user details, including “name, email, username, phone, gender, bcrypt password hash, 2FA secret, and password reset token,” according to Have I Been Pwned’s X account.
Spoutible had 240,000 registered members as of June; therefore, the compromise affected a large portion of the smaller social network. (Spoutible wouldn’t provide its user count.).
Bad actors might have used the flaw to collect hashed passwords, according to the security researcher. Bcrypt secured the passwords, but shorter passwords were simpler to hack. Hunt highlighted that the account holder would not get an email message about the password change, thus they would never realize their account was no longer under their control.
This would have been a problem for any firm, but especially one with a large user base of early adopters who may have tested Spoutible before switching to another Twitter app, leaving semi-abandoned accounts ripe for exploitation.
Spoutible CEO Christopher Bouzy admitted the data leak and vulnerability and prompted customers to generate stronger passwords after fixing it. He called the vulnerability’s discovery “an attack” on his network and said that the data scraper wanted to damage Spoutible’s reputation.
In a post, Bouzy claimed that the ringleader who attacked Spoutible for a year was the notifier who provided Hunt with the scraped data.
Bouzy explained his claims to Eltrys in an email, claiming the internet organization “Doubtible,” which started early last year, was behind the assault. Bouzy stated Doubtible “tweeted falsehoods about Spoutible, me, and prominent members of our community daily” on Twitter/X. Bouzy said, “We firmly believe that this group is behind the unauthorized scraping of our data” in a Trustpilot review, adding that he was informing the FBI.
“Someone doesn’t have to scrape 207k+ records to reveal a vulnerability,” Bouzy said. However, adding data makes it much more newsworthy. Mr. Hunt would be great for exposing a weakness to damage a company’s image. Mr. Hunt’s tweets, blog post, and follow-up video match their goals, so they chose him. The way Mr. Hunt sensationalized and depicted the situation was precisely what they wanted, he said conspiratorially.
Bouzy alleges that a staff member combined a method for the user settings API with a function for the public API, exposing encrypted emails and phone numbers in plain text. He stated that Spoutible has worked with a security company to assess its systems after this occurrence.
Data journalist Dan Nguyen recently reshared internet entrepreneur Anil Dash’s Bluesky essay telling users to “get off spoutible.” Bouzy has subsequently been accused of downplaying the vulnerability. Another Bluesky user colorfully called Spoutible’s data spill “Montezuma’s Revenge.”
A data leak is terrible PR for a startup, but now there are concerns about whether it is suppressing its critics.
Mike Natale, a Spoutible user, accused the CEO of removing his postings, urging Bouzy to be more open.
“Bouzy deleted all my posts and wiped my wall,” Natale said in response to another Bluesky member.
In another reply, Natale said that Bouzy had reprinted his Spoutible postings to comment on the topic but erased them because he disputed “the narrative that this was an attack” and “that other companies have had the same flaws.”
Missing posts lack the typical deletion tag. Removed Spoutible posts include a system notice saying “@user deleted this reply.” What if Bouzy had deleted the reply? “@bouzy deleted this reply.”
In Bluesky comments, Natale reported his Spoutible main feed doesn’t load and posts are gone.
Twitter/X account Doubtible also addressed Natale’s assertions. Natale told Eltrys that someone informed him of his postings being pulled following the Bouzy conversation.
“Spoutible did something to my account immediately after I pushed back on him, framing Troy’s work as an attack,” he stated. Bouzy had “respouted” him many times, so Natale posted more to clarify. Later, on another site, someone inquired whether I had removed my postings. I returned to Spoutible since I hadn’t. Natale claimed she created a ticket because her wall doesn’t load and all her postings are gone, save one or two.
Spoutible’s CEO seems to be doing damage control by manually removing negative comments and suspending users that dispute his story. Infosec veteran Mike Natale had his comments manually deleted from the platform. pic.twitter.com/wrAPx45KuT
Christopher Bouzy, Spoutible CEO, denies removing Natale’s posts.
We did not erase Natale’s posts or account. Users may erase their own stuff and fraudulently blame us, he claimed, implying a conspiracy. “The allegation is baseless and does not merit further discussion,” he said.
Hive, another smaller firm, had a severe security problem after being overwhelmed with Twitter users following Elon Musk’s takeover. Before relaunching, the firm took down its app to resolve key issues. Hive returned from the storm, but Twitter no longer considers it a danger.