Social media Platform Talking became known as an outlet for freedom of expression. In practice, it has become a disinformation haven, hate speech and calls for violence, the type of content typically blocked on more traditional platforms like Twitter and Facebook. It’s fair to say, however, that by “freedom of speech” the site’s creators did not mean that anyone could freely download all messages, photos, and videos posted on the site, including sensitive geo-location data. But a very basic bug in the Parler architecture seems to have made it all too easy nonetheless.
Late Sunday night, Parler went offline after Amazon Web Services shut down social media hosting, a move that followed using the site as a tool to plan and coordinate an insurgency, pro-Trump mob’s invasion of the US Capitol building last week. In the days and hours leading up to this shutdown, a group of hackers rushed to download and archive the site, uploading tens of terabytes of Talking data to the Internet Archive. A pseudonymous hacker who led the effort and only goes by the Twitter handle @donk_enby said Gizmodo that the group had successfully archived “99 percent” of the site’s public content, which it said includes a wealth of “very incriminating” evidence on who participated in the raid on Capitol Hill and how.
As of Monday, rumors were circulating on Reddit and social media that the massive evisceration of Parler’s data was carried out by exploiting a security vulnerability in the site’s two-factor authentication that allowed hackers to create “millions of dollars.” accounts ”with administrator privileges. The truth was much simpler: Parler lacked the most basic security measures that would have prevented automated scraping of site data. He even ordered his posts by number in site URLs, so anyone could easily programmatically download the site’s millions of posts.
Talking’s cardinal security sin is known as an insecure direct object reference, says Kenneth White, security engineer for MongoDB who reviewed the code for the upload tool @donk_enby that was uploaded. An IDOR occurs when an attacker can simply guess the pattern that an application is using to refer to its stored data. In this case, the posts on Speak were simply listed in chronological order: increase the value of a Speaking post URL by one and you will get the next post that appears on the site. Talking also does not require authentication to view public posts, and does not use any kind of “rate limiting” that would prevent anyone from accessing too many posts too quickly. With the IDOR problem, this meant that any hacker could write a simple script to contact Parler’s web server and list and download every post, photo, and video in the order they were posted.
“It’s just a simple sequence, which inspires my mind,” White says. “It’s like bad computer science 101, the kind of thing you would do when learning how web servers work. I wouldn’t even call it a rookie mistake because as a professional you wouldn’t. never. write something like that. “
Services like Twitter, on the other hand, randomize the URLs of posts so that they cannot be guessed. And while they offer APIs that allow developers to access tweets in bulk, they carefully restrict access to those APIs. In contrast, Parler had no authentication for an API that offered access to all of its public content, says Josh Rickman, security engineer for security firm Swimlane. “Honestly, it felt like an oversight, or just laziness,” says Rickman, who says he analyzed the security architecture of Parler in a personal capacity. “They weren’t thinking about how tall they were going to get, so they didn’t do it right.”