SIMILAR ARTICLES:

FBI Takes Down Site With 12 Billion Stolen Records

Hackers Are Exploiting a 5-Alarm Bug in Networking Equipment

A Password-Exposing Bug Was Purged From LastPass

DejaBlue: New BlueKeep-Style Bugs Mean You Need to Update Windows Now

Microsoft's BlueKeep Bug Isn't Getting Patched Fast Enough

Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking

Google's Push to Close a Major Encrypted Web Loophole

When Influencers Switch Platforms—and Bare It All

Election Systems Are Even More Vulnerable Than We Thought

Zoom Security Gets a Boost With Keybase Acquisition

Adult Cam Site CAM4 Exposed 10.88 Billion Records Online

How a 10-Year-Old Desk Phone Bug Came Back From the Dead

Hackers Target Porn Site Visitors Using Flash and Internet Explorer

Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks

Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis

A Brief History of Porn on the Internet

Post-Riot, the Capitol Hill IT Staff Faces a Security Mess

The Secret Service Is Investigating 700 Cases of Covid Relief Fraud

The Overlooked Security Threat of Sign-In Kiosks

The MacOS Catalina Privacy and Security Features You Should Know

How Safari and iMessage Have Made iPhones Less Secure

Windows 10 Has a Security Flaw So Severe the NSA Disclosed It

An Absurdly Basic Bug Let Anyone Grab All of Parler's Data

The social media platform Parler rose to prominence as an outlet for free speech. In practice, it became a haven for disinformation , hate speech, and calls for violence, the sort of content generally blocked on more mainstream platforms like Twitter and Facebook. It's fair to say, though, that by “free speech” the site's creators didn't mean that anyone could freely download every message, photo, and video posted to the site, including sensitive geolocation data. But a very basic bug in Parler's architecture nonetheless seems to have made it all too easy to do just that.

READ ALSO:

Trump Caught Google Off Guard With a Bogus Coronavirus Site Announcement

Late Sunday night, Parler went offline after Amazon Web Services cut off hosting for the social media outlet, a decision that followed the site's use as a tool to plan and coordinate an insurrectionist , pro-Trump mob's invasion of the US Capitol building last week. In the days and hours before that shutdown, a group of hackers scrambled to download and archive the site, uploading dozens of terabytes of Parler data to the Internet Archive. One pseudonymous hacker who led the effort and goes only by the twitter handle @donk_enby told Gizmodo that the group had successfully archived "99 percent" of the site's public contents, which she said includes a trove of "very incriminating" evidence of who participated in the Capitol raid and how.By Monday, rumors were circulating on Reddit and across social media that the mass disemboweling of Parler's data had been carried out by exploiting a security vulnerability in the site's two-factor authentication that allowed hackers to create "millions of accounts" with administrator privileges. The truth was far simpler: Parler lacked the most basic security measures that would have prevented the automated scraping of the site's data. It even ordered its posts by number in the site's URLs, so that anyone could have easily, programmatically downloaded the site's millions of posts.

READ ALSO:

The Internet Avoided a Minor Disaster Last Week

"It's just a straight sequence, which is mind-numbing to me," says White. "This is like a Computer Science 101 bad homework assignment, the kind of stuff that you would do when you're first learning how web servers work. I wouldn't even call it a rookie mistake because, as a professional, you would never write something like this."Services like Twitter, by contrast, randomize the URLs of posts so they can't be guessed. And while they offer APIs that give developers access to tweets en masse, they carefully restrict access to those APIs. By contrast, Parler had no authentication for an API that offered access to all its public contents, says Josh Rickard, a security engineer for security firm Swimlane. "Honestly it seemed like an oversight, or just laziness," says Rickard, who says he analyzed Parler's security architecture in a personal capacity. "They didn’t think about how big they were going to get, so they didn’t do this properly."

READ ALSO:

How a Bitcoin Trail Led to a Massive Dark Web Child-Porn Site Takedown

The article source: www.wired.com
Tags: site, parler, security, outlet, speech, web, group, architecture, rickard, authentication,