UPDATE: FAR WORSE THAN WE THOUGHT:
By Monday, rumors were circulating on Reddit and across social media that the mass disemboweling of Parler’s data had been carried out by exploiting a security vulnerability in the site’s two-factor authentication that allowed hackers to create “millions of accounts” with administrator privileges. The truth was far simpler: Parler lacked the most basic security measures that would have prevented the automated scraping of the site’s data. It even ordered its posts by number in the site’s URLs, so that anyone could have easily, programmatically downloaded the site’s millions of posts.
Parler’s cardinal security sin is known as an insecure direct object reference, says Kenneth White, codirector of the Open Crypto Audit Project, who looked at the code of the download tool @donk_enby posted online. An IDOR occurs when a hacker can simply guess the pattern an application uses to refer to its stored data. In this case, the posts on Parler were simply listed in chronological order: Increase a value in a Parler post url by one, and you’d get the next post that appeared on the site. Parler also doesn’t require authentication to view public posts and doesn’t use any sort of “rate limiting” that would cut off anyone accessing too many posts too quickly. Together with the IDOR issue, that meant that any hacker could write a simple script to reach out to Parler’s web server and enumerate and download every message, photo, and video in the order they were posted.
‘It’s just a straight sequence, which is mind-numbing to me,” says White. “This is like a Computer Science 101 bad homework assignment, the kind of stuff that you would do when you’re first learning how web servers work. I wouldn’t even call it a rookie mistake because, as a professional, you would never write something like this.”
We thought that by wandering over to Parler we could breathe easy with our comments. After all we thought we would not be censored for the most part and it appeared it was going to be live and let live. No data mining. (Chuckle time)
We are in for a nasty shock.
We could fire off a comment feeling free as a twitter bird.. well a bird then. Sort of like the early days of E-Mail.
Now we find that all of our comments and videos are identifiable to us, most including our location, have been harvested from Parler.
Want to know how it works?:
“I want this to be a big middle finger to those who say hacking shouldn’t be political,” said @donk_enby, whose efforts are documented at ArchiveTeam.org. She says that the data will eventually be hosted by the Internet Archive.
Our concern with Parler should have started in November
@donk_enby told Gizmodo that she began digging into Parler after the company issued denials about an email leak unearthed by the hacktivist Kirtner, who has been credited with founding the hacker group Anonymous. @donk_enby said she was able to independently locate the same material herself at the time.
Kirtner, creator of 420chan — a.k.a. Aubrey Cottle — reported obtaining 6.3 GB of Parler user data from an unsecured AWS server in November. The leak reportedly contained passwords, photos and email addresses from several other companies as well. Parler CEO John Matze later claimed to Business Insider that the data contained only “public information” about users, which had been improperly stored by an email vendor whose contract was subsequently terminated over the leak. (This leak is separate from the debunked claim that Parler was “hacked” in late November, proof of which was determined to be fake.) –Gizmodo
Following last week’s incursion into the US Capitol building by Trump supporters and the founder of a BLM group, a researcher who goes by the Twitter handle @donk_enby got to work archiving every post from that day made on Parler – a conservative alternative to Twitter where many claim the protesters coordinated leading up to the incident which left five people dead. Enby calls the evidence “very incriminating.”
Then, after Amazon announced that they were going kill conservative Twitter rival Parler, @donk_enby began archiving posts prior to the 6th, ultimately preserving approximately 99.9% of its content, according to Gizmodo.
Hoping to create a lasting public record for future researchers to sift through, @donk_enby began by archiving the posts from that day. The scope of the project quickly broadened, however, as it became increasingly clear that Parler was on borrowed time. Apple and Google announced that Parler would be removed from their app stores because it had failed to properly moderate posts that encouraged violence and crime. The final nail in the coffin came Saturday when Amazon announced it was pulling Parler’s plug. –Gizmodo
Included in the data harvest is “original, unprocessed, raw files uploaded to Parler with all associated metadata.
As Gizmodo notes, aside from obvious privacy implications, the archived data may serve as a “fertile hunting ground for law enforcement,” after dozens of suspects have been arrested in recent days following last week’s incident.
Of course, the data can also be used to help doxx conservatives by cancel-crusaders on the left, who go to great lengths to ruin the lives of their ideological opponents.
Before we go and sign up at the next social media upstart “Let the Buyer Beware!”
After all we would follow Trump into the fires of hell. Most of us were spared with the worse of this one.
I for one do not want to hear anymore from Parler and their spokes people. What you allowed to happen is far worse than any data mining. What say you?
H/T: Zero Hedge
Everything super fine in the swamp….. would someone ask Parler about this breech?