As many of you have probably heard, the social media site Parler went offline on Sunday after Amazon Web Services cut off hosting for the social media outlet, following use of the site to promote and coordinate last week’s invasion of the US Capitol building. However, according to a Wired article, that may be the least of concerns that participants of the site may have.
In the article An Absurdly Basic Bug Let Anyone Grab All of Parler’s Data, Andy Greenberg notes that “[i]n the days and hours before that shutdown, a group of hackers scrambled to download and archive the site, uploading dozens of terabytes of Parler data to the Internet Archive. One pseudonymous hacker who led the effort and goes only by the twitter handle @donk_enby told Gizmodo that the group had successfully archived ‘99 percent’ of the site’s public contents, which she said includes a trove of ‘very incriminating’ evidence of who participated in the Capitol raid and how.”
While rumors circulated across social media that the mass “disemboweling” of Parler’s data had been carried out by exploiting a security vulnerability in the site’s two-factor authentication that allowed hackers to create ‘millions of accounts’ with administrator privileges, the truth was apparently far simpler. Parler lacked the most basic security measures that would have prevented the automated scraping of the site’s data. It even ordered its posts by number in the site’s URLs, so that anyone could have easily, programmatically downloaded the site’s millions of posts.
Parler’s cardinal security sin is known as an insecure direct object reference (IDOR), says Kenneth White, codirector of the Open Crypto Audit Project, who looked at the code of the download tool @donk_enby posted online. An IDOR occurs when a hacker can simply guess the pattern an application uses to refer to its stored data. In this case, the posts on Parler were simply listed in chronological order: Increase a value in a Parler post url by one, and you’d get the next post that appeared on the site. Parler also doesn’t require authentication to view public posts and doesn’t use any sort of “rate limiting” that would cut off anyone accessing too many posts too quickly. Together with the IDOR issue, that meant that any hacker could write a simple script to reach out to Parler’s web server and enumerate and download every message, photo, and video in the order they were posted.
“It’s just a straight sequence, which is mind-numbing to me,” says White. “This is like a Computer Science 101 bad homework assignment, the kind of stuff that you would do when you’re first learning how web servers work. I wouldn’t even call it a rookie mistake because, as a professional, you would never write something like this.”
Apparently, Parler also appears to have failed to scrub geolocation metadata from images and videos before they were posted. So, while the data that hackers have pulled from the site may be public, the result is that much of that archived content also contains Parler users’ detailed locations, likely revealing the GPS coordinates of many of their homes. “This is as bad as it gets,” White says. “It’s gross incompetence on the part of Parler. They marketed themselves as a private, secure, unmoderated platform, and instead it’s comedy hour.”
Hmmm. I could have a lot to say here, but sometimes it’s best to quote Forrest Gump and say, “that’s all I have to say about that”.
So, what do you think? How much do you know about the social media sites where you post entries? Please share any comments you might have or if you’d like to know more about a particular topic.
Image Copyright © Paramount Pictures
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.