An absurdly basic mistake lets anyone get hold of all of Parler’s data
The “free speech” social network also allowed unlimited access to all public posts, images, and videos. became a haven for disinformation, hate speech, and calls for violence, the kind of content that is generally blocked on more mainstream platforms like Twitter and Facebook.
However, it is fair to say that by “free speech” the creators of the site did not mean that Anyone could freely download all messages, photos, and videos posted on the site, including sensitive geolocation data. However, a very basic flaw in Parler’s architecture seems to have made it too easy to do just that.
On Sunday night, Parler went offline after Amazon Web Services cut off the social media hosting, a decision that followed the use of the site as a tool to plan and coordinate the pro-Trump mafia’s insurrectional invasion of the US Capitol building last week. In the days and hours leading up to that shutdown, a group of hackers scrambled to download and archive the site, uploading dozens of terabytes of Parler’s data to the Internet Archive.
Amazon Discontinues Parler’s Web Hosting After Apple, Google bans
A pseudonymous hacker who led the effort and who only goes by Twitter user @donk_enby told Gizmodo that the group had successfully archived “99 percent” of the site’s public content, which she claims includes a treasure trove of “highly incriminating” evidence of who participated in the Capitol raid and how. on Reddit and on social media that the massive gutting of Parler’s data had been carried out by exploiting a security vulnerability in the site’s two-factor authentication that allowed hackers to create “millions of accounts” with administrator privileges.
The truth was much simpler: Parler lacked the most basic security measures that would have prevented the automatic scraping of data from the site. It even sorted its posts by number in the site’s URLs, so anyone could easily and programmatically download the site’s millions of posts.
Twitter removes China’s tweet “baby-making machines” about Uyghur women
Parler’s main security sin is known as an insecure direct object reference, says Kenneth White, co-director of the Open Crypto Audit Project looked at the @donk_enby download tool code posted online. An IDOR occurs when a hacker can simply guess the pattern that an application uses to refer to the stored data. In this case, the posts on Parler have simply been listed in chronological order: if you increment a value in a Parler Post URL, you will get the next post that appears on the site.
Parler also doesn’t require authentication to view public posts, and doesn’t use any kind of “rate limiting”. That would keep anyone from accessing too many posts too quickly. Coupled with the IDOR problem, this meant that any hacker could write a simple script to access Parler’s web server and list and download every message, photo, and video in the order in which they were posted.
Apple and Google take action against Parler after violent threats
“It is just a straight sequence that annoys me, “says White. “This is like bad computer science 101 homework, the kind of thing you would do the first time you learn how web servers work. I wouldn’t even call it a rookie mistake because as a professional you would never do it . ” write something like that. “
Services like Twitter, on the other hand, randomize the URLs of the posts so that they cannot be guessed. And while they offer APIs that developers can use to access tweets in bulk, they carefully limit access to those APIs. In contrast, Parler didn’t have authentication for an API that provides access to all public content, says Josh Rickard, security engineer for fixed swimlane security.
Reddit Bans Subreddit “r / donaldtrump” For “Repeated Policy Violation”
“It honestly seemed like an oversight or just lazy,” says Rickard, who says he looked at Parler’s security architecture on a personal basis. “They didn’t think about how big they were going to get, so they didn’t get it right. “
Despite Parler’s vulnerabilities, @donk_enby has been careful to counter rumors that hackers had accessed all of Parler’s information, including the images of driver’s licenses Parler requires users to have a verified account. “Only things that were publicly available via the web were archived,” @donk_enby wrote in a Twitter post.
A Reddit rumor that hackers gained access to more private data on the site, due to SMS provider Twilio severing ties with Parler and disabling both of their Factor Authentication – it was “bullshit,” confirmed @donk_enby in a message to WIRED. While Twilio removed Parler as a customer, the result was that hackers could bypass two-factor authentication if they knew an account’s password or could generate new accounts, she says. They were unable to access existing accounts
Still, White notes that Parler appears not to have removed the geolocation metadata from the images and videos before they were published, so while the data hackers have extracted from the site may be public, the result is that much of that archived content also contains the detailed locations of Parler users, likely to reveal the GPS coordinates of many of their homes. Data artist Kyle McDonald has already created a visualization of the 68,000 locations of Parler’s archived videos.
gps metadata of 68k videos uploaded to parler pic.twitter.com/t4WKzJ8thB
— Kyle McDonald (@kcimc) January 12, 2021
He says “It’s gross incompetence on Parler’s part. They touted themselves as a private, secure, and unrestrained platform, and instead, it’s time for comedy.” “
Despite being disconnected from Amazon Web Services, Google Play Store, and Apple App Store, Parler has vowed to return: Company investor Dan Bongino told Fox News on Monday that the service would be online again” by the end of the week. . “
When Parler returns, White argues that it needs to take a closer look at its security engineering. Its flaws, he speculates, likely go deeper than the ability to massively download its public data.” “When you walk up to a car with duct tape on the bumper, puddles of oil under it, and stains of rust, you can make some reasonable assumptions about the condition of the engine,” says White. “If a Python script can archive all of its users’ content with simple web requests, then it has a serious architecture problem.
Wired / TechConflict.Com