Parler, a social network used to plan the storming of the U.S. Capitol last week, has been hit by a massive data scrape. Security researchers collected swaths of user data before the network went dark Monday morning after Amazon, Google, and Apple booted the platform.
The scrape includes user profile data, user information, and which users had administration rights for specific groups within the social network. Twitter user @donk_enby, who first announced about the scrape, claims that over a million video URLs, some deleted and private, were taken.
“These are original, unprocessed, raw files as uploaded to Parler with all associated metadata,” claims one of the authors.
Security researchers claim that the scraped posts are linked to accounts that posted them, and some of the video and image data have geolocation information. That is said also to include data from Parler’s “Verified Citizens,” users of the network who verified their identity by uploading photographs of government-issued IDs, such as a driver’s license.
However, after the news about the data scrape went global, the author of the hack @donk_enby explained in a tweet that neither her nor others have collected any personal data that Parler users did not make public themselves.
“Only things that were available publicly via the web were archived. I don’t have you e-mail address, phone or credit card number. unless you posted it yourself on Parler,” she stated on Twitter.
The data might prove valuable to law enforcement since many who participated in the riots deleted their posts and videos afterward. The data scrape includes deleted posts, meaning that Parler stored user data after users deleted it.
Parler, a far-right friendly site, was among the key candidates to host President Donald Trump’s social media presence as Twitter and Facebook suspended his accounts for instigating violence.
Reddit users claim that the scrape was made possible due Twilio, an American cloud communications platform that provided the platform with phone number verification services, cutting ties with Parler.
In a press release announcing the decision, Twilio revealed which services Parler was using. This information allowed hackers to deduce that it was possible to create users and verified accounts without actual verification.
With this type of access, newly minted users were able to get behind the login box API used for content delivery. That allowed them to see which users had moderator rights and this in turn allowed them to reset passwords of existing users with simple “forgot password” function. Since Twilio no longer authenticated emails, hackers were able to access admin accounts with ease.
Twilio, however, distanced themselves from the accusations on revealing information about Parler’s services in a press release. The company’s head of corporate communications, Cris Paden, reached out to CyberNews in an article comment claiming that Twilio’s security experts found no evidence that Parlers’ security issues were related to their services.
“On Friday, January 8th, we sent Parler a letter informing them they were in violation of our Acceptable Use Policy and notifying them that we would suspend their account if they did not make efforts to remediate multiple calls for violence on their platform,” Mr. Paden explained in a comment.
He claims that shortly after, Parler informed the company they had already turned off their navigation with Twilio and therefore any security issues were unrelated to Twilio.
“There has not been any proof that Parler itself was “hacked,” but rather, the platform was inherently insecure and was leveraged in a group effort before being taken down,” he explained.
His team estimates that at least 15 offensive parties took part in the data scrape, and hackers collected at least 60 terabytes of data. The breach itself can be attributed to poor engineering and lack of testing on the Parler’s side that allowed a mass collection of archived data.
“This was due to an unprotected API call that was sequentially numbered, therefore allowing any attacker to iterate continuously over the endpoint and take all information available,” Mr. Warner explained.
“In the case of Parler, this was URLs that looked like https://par.pw/v1/photo?id= and the ID could be sequentially increased to gather information from the API without direct knowledge,” he explained.
On the one hand, some of the people whose data got scraped actively planned acts of violence. On the other, some people joined Parler only out of curiosity or professional obligation, such as journalists. However, the data scrape was universal, without hackers paying attention to the real intentions of account holders.
“From what I‘m reading, these weren‘t hacking in a sense we think about state-sponsored hacking, involving phishing or active deception, or anything like that. There was a glaring gap in the security of the platform, and @donk_enby and a few others noticed it and used it,” Ali Alkhatib, data ethicist and a research fellow at the Center for Applied Data Ethics, explained to CyberNews.
Since @donk_enby did not carry out the data scrape secretively, there’s little to worry about from an ethics perspective. However, Alkhatib agrees that if the data scrape was targeted towards minority groups, there’d be a lot more to worry about.
“To me, this is a little more like the Ashley Madison debacle, but for white supremacists,” he explained.
The scrape includes user profile data, user information, and which users had administration rights for specific groups within the social network. Twitter user @donk_enby, who first announced about the scrape, claims that over a million video URLs, some deleted and private, were taken.
“These are original, unprocessed, raw files as uploaded to Parler with all associated metadata,” claims one of the authors.
Security researchers claim that the scraped posts are linked to accounts that posted them, and some of the video and image data have geolocation information. That is said also to include data from Parler’s “Verified Citizens,” users of the network who verified their identity by uploading photographs of government-issued IDs, such as a driver’s license.
However, after the news about the data scrape went global, the author of the hack @donk_enby explained in a tweet that neither her nor others have collected any personal data that Parler users did not make public themselves.
“Only things that were available publicly via the web were archived. I don’t have you e-mail address, phone or credit card number. unless you posted it yourself on Parler,” she stated on Twitter.
The data might prove valuable to law enforcement since many who participated in the riots deleted their posts and videos afterward. The data scrape includes deleted posts, meaning that Parler stored user data after users deleted it.
Parler, a far-right friendly site, was among the key candidates to host President Donald Trump’s social media presence as Twitter and Facebook suspended his accounts for instigating violence.
- New report shows that violent hashtags on Parler skyrocketed during and after the US Capitol riots
- Get the data collection cheat sheet on how Parler, Twitter, Facebook, MeWe’s data policies compare
Reddit users claim that the scrape was made possible due Twilio, an American cloud communications platform that provided the platform with phone number verification services, cutting ties with Parler.
In a press release announcing the decision, Twilio revealed which services Parler was using. This information allowed hackers to deduce that it was possible to create users and verified accounts without actual verification.
With this type of access, newly minted users were able to get behind the login box API used for content delivery. That allowed them to see which users had moderator rights and this in turn allowed them to reset passwords of existing users with simple “forgot password” function. Since Twilio no longer authenticated emails, hackers were able to access admin accounts with ease.
Twilio, however, distanced themselves from the accusations on revealing information about Parler’s services in a press release. The company’s head of corporate communications, Cris Paden, reached out to CyberNews in an article comment claiming that Twilio’s security experts found no evidence that Parlers’ security issues were related to their services.
“On Friday, January 8th, we sent Parler a letter informing them they were in violation of our Acceptable Use Policy and notifying them that we would suspend their account if they did not make efforts to remediate multiple calls for violence on their platform,” Mr. Paden explained in a comment.
He claims that shortly after, Parler informed the company they had already turned off their navigation with Twilio and therefore any security issues were unrelated to Twilio.
How was the scrape done?
First and foremost, the Parler data scrape was not a hack in the conventional sense. According to Matt Warner, CTO at Blumira, a cybersecurity provider of automated threat detection and response technology, recent events could be considered a significant “hacktivism movement.”“There has not been any proof that Parler itself was “hacked,” but rather, the platform was inherently insecure and was leveraged in a group effort before being taken down,” he explained.
His team estimates that at least 15 offensive parties took part in the data scrape, and hackers collected at least 60 terabytes of data. The breach itself can be attributed to poor engineering and lack of testing on the Parler’s side that allowed a mass collection of archived data.
“This was due to an unprotected API call that was sequentially numbered, therefore allowing any attacker to iterate continuously over the endpoint and take all information available,” Mr. Warner explained.
The CTO noted that Twilio’s move to pull out allowed potential users to create Parler accounts without verifying their email. According to him, Parler allowed for an IDOR attach, which enumerates across all data available.
“In the case of Parler, this was URLs that looked like https://par.pw/v1/photo?id= and the ID could be sequentially increased to gather information from the API without direct knowledge,” he explained.
A question of ethics
Even though the stated purpose of the data scrape is to keep proof of wrongdoing, a question remains: do the ends justify the means?On the one hand, some of the people whose data got scraped actively planned acts of violence. On the other, some people joined Parler only out of curiosity or professional obligation, such as journalists. However, the data scrape was universal, without hackers paying attention to the real intentions of account holders.
“From what I‘m reading, these weren‘t hacking in a sense we think about state-sponsored hacking, involving phishing or active deception, or anything like that. There was a glaring gap in the security of the platform, and @donk_enby and a few others noticed it and used it,” Ali Alkhatib, data ethicist and a research fellow at the Center for Applied Data Ethics, explained to CyberNews.
Since @donk_enby did not carry out the data scrape secretively, there’s little to worry about from an ethics perspective. However, Alkhatib agrees that if the data scrape was targeted towards minority groups, there’d be a lot more to worry about.
“To me, this is a little more like the Ashley Madison debacle, but for white supremacists,” he explained.