It was not surprising to read reports of a recent data breach of Parler, the right wing version of Twitter, knowing that it would be a likely target for hacktivists following the capital breach of January 6th. The most surprising thing after investigating the exploit was the cardinal sins Parler committed when it came to storing data on their application.

Firstly, to squash the misleading information coming out. It was widely reported that Twilio disabled 2FA for Parler which opened a security hole allowing the exploit to take place. This is false.  Twilio did inform Parler they were in breach of their terms of service and planned to cancel their account, Parler then deactivated Twilio’s service. Twilio’s later investigation found no evidence that this resulted in a security flaw.

What data was accessed

To make clear what data was accessed, only public posts on Parler were scrapped and archived. Now undoubtedly this is not as significant compared to a breach where private data like user passwords or private messages were exposed. But there is still plenty of incriminating evidence of users along with absolutely shocking privacy and security mismanagements by Parler.

What happened

Hacker and digital activist @dork_enby had in December 2020 reversed engineered the Parler API using Ghidra. Ghidra is a piece of reverse-engineering software designed and publicly released by the NSA. Basically it is a tool that helps to dig up the source code of a proprietary program. @dork_enby did not document the Parler API to explicitly archive the site but to be able to query the site to find public information.

Immediately after the capitol attack on January 6th, @dork_enby  went into action to preserve what could be incriminating evidence in relation to the capital attack. When it was announced AWS would be removing the application from their servers, activists worked together with @dork_enby to archive all public information on Parler. This resulted in 56.7 terabytes of data, which included every public post on Parler, 412 million files in all—including 150 million photos and more than 1 million videos.

Parler lacked the most basic security measures that would have prevented the automated scraping of the site's data. It sequentially ordered its posts URLs so that anyone could have easily, programmatically downloaded the site's millions of posts. This is known as an insecure direct object reference. Other social media sites use universally unique identifiers (UUIDs)  for URLs where the ID’s have no relation to each other. Simply meaning you can not sequentially access or guess URLs. In addition to this, Parler had no limits placed on the public API’s that would have flagged an exploit to archive all data (something all other social media platforms have).

The other sin Parler has commited was to leave, intact, the meta-data, such as the EXIF data stored within the raw media files. Most interesting of this data was the GPS coordinates. Again this is stripped from all other major social media sites during upload, for obvious privacy considerations.

1. image of the meta-data

2. how it was used to determine users location inside the capitol

This data could be used to uncover and bring criminal charges to the individuals involved in the storming of the capital but also be used to uncover members of far right organizations, including their names, emails and locations.

Now despite some comments and my own title (hah more misleading headlines), this exploit used against Parler is still considered hacking because it was using systems in an unintended way to extract data. But it is not an illegal hack where unauthorized actors illegally breached into systems and services belonging to Parler accessing and or exposing sensitive private data.

Wrap up

So the Parler ‘hack’ as is widely being reported isn’t so much a Hack as it was irresponsible architectural design and mismanagement of public data by a social media provider. They used sequential numbering for post URLs which combined with a public API with no access limits, allowed all public posts to be archived by third parties. They also failed to remove meta-data of media files giving third parties access to information such as some GPS locations. This poor design was used in an exploit to archive all public data from the site.