A user on the Twitter/X alternative Canyon claims the company removed its posts after they pressured Spoutible CEO Christopher Bouzy to be more honest about the nature of its recent security issue. The claims, which the company denies, are the latest strange twist in the saga of security incidents that took place last week at the startup.
Last week, Bouzy acknowledged a security vulnerability which, according to him, had exposed users' emails and phone numbers at its inception, positioned as a Twitter more inclusive and friendly. However, security researcher Troy Hunt, creator of the They have cheated me? The website, which allows people to check if their data was compromised in a data breach, found that Spoutible's developer API was also exposing information that bad actors could have used to take over users' accounts without that they knew it.
Hunt detailed its findings of that much more serious charge on its websitenoting that the Spoutible API returned data including the bcrypt hash of any other user's password, as well as 2FA (two-factor) secrets and the token that could be reused to reset a user's password.
In short, this vulnerability was highly exploitable and could have allowed a bad actor to take over a user's account without the user's knowledge, such as The Verge reported at the time. Hunt had been alerted to this issue by a third party who claimed to have extracted data from Spoutible's service. Like the Have I Been Pwned account confirmed in XSpoutible had 207,000 user records removed from its misconfigured API, including “name, email, username, phone, gender, bcrypt password hash, 2FA secret, and password reset token.”
Since last June, Spoutible had 240,000 registered users Therefore, the violation affected a good part of the user base of the smallest social network.
The security researcher explained that the vulnerability could have been exploited by bad actors, who could have obtained a hashed version of users' passwords. Although the passwords were protected by bcrypt, the shorter passwords might have been easier to guess and crack. Additionally, no email notification would be sent to the account holder about the password change, so he would never have known if his account was no longer under his control, Hunt said.
This sort of thing would have been a problem for any startup, but particularly one where the user base is full of early adopters who may have simply tried Spoutible for a while before moving on to another Twitter alternative, leaving accounts semi- abandoned ready to use. he takes it.
Spoutible CEO Christopher Bouzy confirmed the data breach and vulnerability and the company required users to create new and more secure passwords, after addressing the problem. However, he also referred to the discovery of the vulnerability as “an attack” on his network and alleged that the person who extracted the data was someone who intended to damage Spoutible's reputation.
“We are… certain that the person involved is the ringleader who has been attacking Spoutible for a year.” Bouzy said in a postreferring to the process server who sent Hunt the deleted records.
In an email with TechCrunch, Bouzy laid out his ideas in more detail, claiming that the online group known as “doubtful”, which emerged early last year, was behind the attack. Doubtible has a Twitter/X account where he has “tweeted falsehoods daily about Spoutible, me, and prominent members of our community,” Bouzy said. “We strongly believe that this group is behind the unauthorized extraction of our data”: an accusation Bouzy echoed in a response. to a review on Trustpilot, where he also suggested he was alerting the FBI about the matter.
“Someone doesn't have to extract more than 207,000 records to reveal a vulnerability,” Bouzy continued. “However, by also including data, it makes it significantly more interesting. If someone intends to expose a vulnerability that tarnishes a company's reputation, Mr. Hunt would be their ideal contact. The reason behind choosing him is clear: Mr. Hunt's tweets, blog post and follow-up video align perfectly with his intentions. The way Mr Hunt sensationalized and portrayed the incident is exactly what they expected,” he added conspiratorially.
Bouzy says the security vulnerability arose because someone on his team used a function intended for the user settings API with a function designed for the public API, which is why encrypted emails and phone numbers were exposed in plain text. Format. He said Spoutible has now partnered with a security company to further review its systems in light of this incident.
Still, several people have since accused Bouzy of trying to downplay the severity of the vulnerability, including data journalist Dan Nguyenwho recently shared about the tech entrepreneur Post by Anil Dash on Bluesky warning users to “stop talking.” Another Bluesky user colorfully referred to Spoutible's dumping of user data as something akin to “Moctezuma's Revenge.”
Although a data breach is already a bad image for a startup, there are now questions about whether or not the company is silencing its critics.
A Spoutible user, Mike Natale, has publicly stated accused the CEO of deleting his posts on the social network, where he had pressured Bouzy to be more transparent.
“Bouzy… deleted all my posts and deleted my wall,” Natale wrote, in response to another Bluesky user.
Image credits: Mike Natale at Bluesky (Opens in a new window)
In another answer, natale that Bouzy had initially reposted his posts on Spoutible to comment on the matter, but then removed all of Natale's posts when he rejected “the narrative that this was an attack” and “that other companies have had the same flaws.”
Missing posts do not include the usual label indicating their deletion. In Spoutible, posts that are deleted have a system note attached that says “@user deleted this reply.” For example, if Bouzy had deleted the reply, it would have read “@bouzy deleted this reply.”
But in this case, Natale said in comments on Bluesky that the posts simply disappeared and his main Spoutible feed doesn't even load.
The Twitter/X account Doubtible also posted about Natale's claims. Natale has not responded to requests for comment.
Meanwhile, Spoutible CEO Christopher Bouzy denies removing Natale's posts.
“Regarding the problem with the user Natale, we did not delete her posts or her account. It is possible that users delete their own content and then falsely accuse us,” she said, again suggesting a conspiracy. “The accusation is unfounded and does not deserve further discussion,” she concluded.
The incident at Spoutible is reminiscent of another smaller company, Hive, which also experienced a major security issue after being inundated with Twitter users shortly after the Elon Musk acquisition. In that case, the startup completely shut down its app to fix critical flaws before returning to the app store. Hive managed to weather the storm and eventually return, but is no longer considered a threat to Twitter after missing the opportunity.
It also remains to be seen whether Spoutible's reputation will recover from this stain.
