Miserably “open source”, millions of Parler user data leaked

After US President Trump was collectively “banned” by mainstream social media such as Twitter, Facebook and Instagram, last Sunday, Trump’s last social media position, the US social application Parler, was also “rejected” by Amazon, Google and Apple. service”, but even more alarming news came from the reddit community on Monday that all Parler user data (including those who participated in Congressional protests and demonstrations) had been publicly exposed and made available to anyone.

Parler is Twitter’s competing product, positioned to serve people (including Trump) who are highly dissatisfied with Twitter’s censorship.

Parler CEO John Matze, who is only 27 years old, could not have imagined that since the congressional riots on January 6, under the call of Trump and his supporters, Parler’s user number will soar from 4.5 million users in just one week. to 8 million and then back to zero.

Along with Trump, Parler was “deadly” by American technology giants. But with the full exposure of user data, Parler’s troubles are clearly just beginning.

The “culprit” behind Parler’s massive data breach was Twillio, the company that provided Parler with a 2FA two-factor authentication service (SMS verification), along with Google and Apple, to stop Parler’s service, and worse, the identity protection service Provider Okta also stopped serving Parler, which would spell a cybersecurity disaster.

This week an independent security researcher (@donk_enby) revealed on Twitter (below) that reverse-engineering the Parler iOS app has uncovered an API endpoint (a URL inside the app used to fetch data) that The site uses an insecure API key (unusual for a web site), and since the third-party mail service and 2FA authentication service used by Parler is down, anyone can create a user without having to verify the email address , and immediately have a login account, access the login box API for delivering content, and retrieve an account with administrator privileges.

The user can then bypass 2FA authentication by resetting the user’s password, gain access to the administrator account, and enumerate all the posts, videos, comments, etc. that have been published by all Parler users.

In a follow-up tweet, @donk_enby revealed that 99.9% of Parler’s user data, including more than 1 million videos, has been crawled using Parler’s security flaws, and an online archive (which will eventually be stored at https://archive.org) has begun. /).

In fact, scripts have been developed to create millions of fake admin accounts for crowdsourcing Parler’s user data. By continuously creating administrator accounts, the attackers created a Docker image (basically a virtual machine) called Warrior that anyone could download and start collecting data from Parlre in a coordinated manner immediately . This is somewhat similar to the SETI (Search for Extraterrestrial Intelligence) computing power crowdsourcing project, which was widely participated by netizens.

All this (Parler user) data, videos, images, posts, metadata (including geolocation of all images and videos and links to publishing accounts) (since midnight Sunday) have been uploaded to various cloud drives for storage in order to It will be later retrieved by law enforcement agencies (to liquidate offenders), the public, and the open source intelligence community.

In other words, all of Parler’s user private data, including data that has been deleted by users, became an “open source project” accessible to everyone overnight.

Security personnel pointed out that Parler’s code seems to be seriously wrong, and it will choose to skip the password reset email if the mail service fails, which looks more like a temporary code for the experimental environment. And this step is the first time that Parler has exposed a data breach. In November last year, Aubrey Cottle, the developer of 420chan, claimed to have obtained 6.3GB of Parler user data from an Amazon server provider.

As of press time, the server storing Parler user data has been completely shut down, but the large-scale leakage of Parler user data is still ongoing.

Did the Parler incident expose some previously unnoticed common flaws in third-party web security services?

Since Parler also has a lot of users in Europe, will this leak be punished by GDPR?

Can U.S. government agencies such as the FBI, DHS, and FAA use leaked data as a legitimate basis for liquidating and prosecuting violent protesters.

A considerable number of Parler “authenticated users” have uploaded photos of their driver’s licenses, and such sensitive personal information has been “open sourced” on a large scale. Is this “group hacking” behavior punished by US privacy laws?

Data that has been “deleted” by Parler users is “live” in the database and can be accessed under special circumstances, which is an issue that deserves special attention and verification in cloud data security (Service Level Agreement).