Parler, the right-wing social network, is gone. Amazon Web Services (AWS) switched it off. And, Parler, as it was, isn’t coming back. Parler’s data, however, including death threats and geotagged deleted messages, had been scraped and it’s being published on numerous public websites. Here’s how it was done.
A hacker who goes by the Twitter handle @donk_enby started by downloading every Parler post from Jan. 6, searching for “incriminating” evidence. That was the day U.S. President Donald Trump, in a rally outside the White House, urged a crowd of his supporters to march to the nearby Capitol building. The resulting chaos resulted in five deaths, including a police officer. According to reports, Parler had been used by the attackers to help coordinate their assault on the Capitol building. Allegedly, their ill-conceived plan was to force Congress into overturning the 2020 election results and keep Donald Trump as President.
When the news broke that AWS was taking Parler down, donk_enby went for all of Parler’s public records. In the over 70TB of data was scraped from Parler. Donk_enby then uploaded the data to the Internet Archive. Numerous other copies of the data have been made. Donk_enby tweeted the Parler data may include deleted and private posts, and the videos contained “all associated metadata.”
There were rumors that the data has been swiped from Parler because when Twilio forbade Parler from using its program, it removed Parler’s ability to authenticate its accounts. That was not the case. A Twilio representative said, “With regards to reports of cybersecurity issues Parler experienced and have been attributed to Twilio, our security team investigated the claims and found no evidence indicating their security issues were related to Twilio or our product.”
As for these rumors, donk_enby had her own short reply about them and what data was actually being found: “Since a lot of people seem confused about this detail and there is a bullshit reddit post going around: only things that were available publicly via the web were archived. i don’t have you e-mail address, phone or credit card number. unless you posted it yourself on parler.”
That said, Marjorie Taylor Greene, a U.S. Republican Congressional member and Qanon conspiracy theorist, had asked for people to share their phone numbers and e-mail addresses on Parler. Even if members didn’t share this information, Parler, by not erasing image and video metadata, including GPS coordinates, has made it possible to trace down the real identity of many Parler users.
Deleted messages were also captured. That’s because Parler’s proprietary program didn’t actually delete them. Instead, it simply marked them to be invisible to users. Bad, bad security programming.
So, how was it really done?
It wasn’t really that complicated at all. Donk_enby had earlier reversed engineered part of the Parler iOS client, which had been written in Python. Using its API, a jail-broken iPad, and Ghidra, a National Security Agency (NSA) open-source reverse-engineering tool, donk_enby exploited weaknesses in Parler’s design. Armed with this, donk_enby and others pulled down every Parler public post URL in sequential order. This in turn enabled her to then capture and save the messages.
Making it even easier, Parler’s API didn’t require authentication. Anyone at any time could have used it to see to all its members’ public content. There was also no data throttling. Once the data started flowing through the API pipeline, the only limit was how fast the server could dish out the information and how fast your internet connection.
If part of that sounds really stupid programming on Parler’s part, you wouldn’t be wrong. It had a security hole in it as big as a whale.
In a Wired report, Kenneth White, co-director of the Open Crypto Audit Project, said the core problem was that its use of a simple add one to its chronological message URLs constituted an insecure direct object reference (IDOR) problem. Put it all together, and you don’t need to have access to administrative accounts or be a mad hacker genius.
White told Wired, “This is like a Computer Science 101 bad homework assignment, the kind of stuff that you would do when you’re first learning how web servers work. I wouldn’t even call it a rookie mistake because, as a professional, you would never write something like this.”
The real problem wasn’t grabbing the public records; It was being able to grab the terabytes of data before AWS turned Parler off.
Fortunately, donk_enby found friends to help download almost all of Parler’s data in the “big pull.” The Archive Team, a volunteer group dedicated to saving sites and data from the great bit-bucket in the sky, brought their people and a newly created download tool to bear. This, combined with a script to automatically create new Parler accounts, enabled most of Parler’s data to be taken down and archived for historical and potentially legal use.
At this point, the data is largely only available in its raw form. Projects, however, are already being created to make Parler users’ messages, videos, and photographs easily available for anyone who wants to look under Parler’s covers.
The technology moral of the story? If you’re going to write something that purports to be a private and secure social network, it behooves you to have a clue about security. Parler’s security was a bad joke and the joke is now on its millions of former members.
AWS is a sponsor of The New Stack.
Feature image via Pixabay.