Parler, the Twitter rip-off that served as one of the main organizing tools for the Donald Trump fanaticswho stormed the U.S. Capitol on Jan. 6, has been largely offline for more than a week. But even in suspended animation, the preferred online home for QAnon, the Proud Boys, and other elements of the American far-right is still creating trouble.
Decisions by Amazon, Apple, and Google to quit hosting the site and forbid mobile users to download the app have triggered cries of Big Tech censorship. First Amendment and internet regulation politics aside, the way Parler gushed data on its way out the door raises serious cybersecurity questions as well as worries about whether other players on the internet have data breaches in their future.
Though its impossible to verify without peeking under Parlers hooda task now impossible since the website is offlinethe prevailing narrative is that a Parler security flaw (or flaws) allowed a white-hat hacker to download and archive all of Parlers user data shortly before Amazon Web Services pulled the plug on hosting the site. Among the data presented for the public (and law enforcement) to access included, in some cases, potentially incriminating location data.
Parler relied on Worpress, the worlds most-used content management system. That has led to speculation that WordPress was part of the flaw and that anyone else using WordPress was in danger. However, according to a general consensus of cybersecurity experts, including several contacted for this article, Parlers data breach didnt happen simply because Parler used WordPress. Instead, Parlers user data leaked because CEO John Matze and the sites architects left major flaws in Parlers API, the link between Parlers front-end and its user data.
See Also: Elon Musk Blames Facebook and Mark Zuckerberg For Capitol Riot
The predominant belief is that Parler was a rushed, poor design buoyed by right-leaning investors to become pretty large before they really had built a solid foundation, technologically speaking, Andrew Zolides, a professor of communications at Xavier University who teaches courses in digital design told Observer. (Among Parlers investors are the right-wing billionaire Rebekah Mercer, who tried to capitalize on right-wing anger at Twitter and Facebook to grow Parlers audience.)
While any website has its privacy concerns, Parler seems like an issue of getting too big, too fast and not having the ability or technical know-how to actually prepare for that, Zolides added.
In a welcome development for anyone concerned about anonymity or security in general, other websites can avoid the Parler trap provided they arent relatively new and small startups who try to compete with established giants like Twitter and Facebook, which is exactly what Parler did.
Yes, Parler could have been better designed, but realistically speaking, this is the kind of problem that happens when youre competing against mature companies that have invested billions and billions of dollars into their products, said Joseph Steinberg, a security expert and author of Cybersecurity for Dummies. Youre going to have a hard time designing everything that you want in a secure fashion.
First, the method for the alleged hack. Before Parler was yanked from AWS, a Twitter user with the handle @donk_enby figured out how to download the websites user dataall of which, along with whatever other very public evidence of Parler users breaching the Capitol, assaulting officers, and plotting further violence, was potentially very incriminating, as Gizmodo reported.
@donk_enby eventually snagged 56 terabytes worth of data: photos, videos, and text posts, many of which included some GPS metadata that positively put Parler users in and around the Capitol on January 6, including in secured areas. At least some of this data56,000 gigabyteshas been used to identify and apprehend riot participants, according to federal affidavits, but theres no proof positive that the feds used @donk_envys data tranche.
But how was it done? Early speculation buzzed that @donk_enby or another hacker may have stolen Parler admin credentials, which would be an illegal act. The accepted theory is that, as The Startup reported and several security experts have outlined, instead, Parlers own API was used against it to archive the websites dataand to do so quickly.
Parlers designers didnt restrict access to the API by requiring authentication. Users did not need specific credentials to access the data on the back end. That left an enormous back door open.
Most websites aware of basic security protocol dont allow access to the API without some form of user authentication to ensure the request isnt malicious. As The Startup pointed out, two common authentication solutions are API keys and tokens, both of which require some valid credentials that also allow the website to know whos accessing the data.
No authentication requirement left a door ajar. On top of that, Parlers designers didnt bother to add a second layer of defense in the way of rate-limitingmeaning instead of a door ajar or left cracked, the door was wide open.
Rate-limiting caps how much data a user can access regardless of credentials. Web users may have seen 429 Too Many Request error messages out in the wild, which is a sign that there have been too many knocks or attempts to pass through the door. Parler didnt have this, either, which meant that once the unsecured back end was accessed, @donk_enby was also able to archive Parlers data within 48 hours. (Oddly enough, as The Startup pointed out, Amazon Web Service has a basic firewall option that Parler didnt seem to bother with.)
Finally, Parler also allowed posts its users believed were deleted to be both available and easily discovered once someone was in the back end. In the aftermath of the deadly riots, some Parler users, aware of the reams of evidence available on the web, encouraged others to delete their posts from January 6.
All of Parlers posts were given sequential numbers that increased by 1. Even when those posts were deleted by the user, they remained on the back end. @donk_enby apparently needed to write only a very basic script that found and archived each post, one by one. And since Parler didnt bother removing geo-tagged data from photos and videos and posts before they were uploaded, that information was also sitting there waiting to be archived.
Its possible that other websites that use WordPress or other hosting software altogether may have similar security flaws, but they also might not be infamous enough to have those security flaws become the interest of vigilante hackers and thus be breached.
It is not uncommon for websites to have security flaws, sometimes significant ones, that go unnoticed because they are not popular enough to draw more than simple, often automated, attempts to compromise them, said Erich Kron, a security expert with KnowBe4, a prominent security solutions firm. When the site becomes popular quickly, the focus and complexity of these tests increase, often leading to vulnerabilities being discovered.
One recent example of this phenomenon, Kron said, was Zoom. When the COVID-19 pandemic made all work remote work, Zooms previously undetected security flaws were discovered, exploited, and then quickly patched. But with Parler, when security vendors started ditching their erstwhile client, it left Parler vulnerable at a time they were also a target of attackers, hacktivists and others, Kron added.
Parler isnt dead quite yet. Over the weekend, some version of Parler returned on the same web servers that host other fringe sites welcoming hate speech. As of Tuesday evening, the sites homepage is a technical difficulties landing page; site founder John Matze told Fox News the website plans to be fully functional by the end of the month (though mobile users will likely be stuck using the web-based version instead of an app). And there are other homes for the online far-rightthough, as Zolides pointed out, free-speech focused forums like Gab have been more proactive with content moderation than Parler.
More details may yet emerge on exactly how @donk_enby accessed Parlers data and whether the open-door theory was exactly what happened. (And standing separate from the cybersecurity question are issues of ethics; breach or hack, Parlers user data was still stolen, as Steinberg said, and a heist is nothing to celebrate.)
Assuming Parlers data was done in by bad design, for now, the online story of January 6 is one of repeated self-incrimination: unmasked rioters wandering the US Capitol, gleefully and openly discussing their foiled additional plans, posting incriminating evidence to the internet all the while, to a website that was not prepared to keep that evidence anonymous or secure.
The rest is here:
Parler Was Hacked on WordPress, The Internets Biggest Platform. Is Everyone At Risk? - Observer
Read More..