[conspire] Something hilarious happened in Internet Security…

Deirdre Saoirse Moen deirdre at deirdre.net
Sat Jan 16 15:05:19 PST 2021


So you may have heard the alt-nut site Parler is offline. This isn’t related to it being offline per se, but it IS related to their security issues.

https://gadgets.ndtv.com/social-networking/news/80tb-parler-posts-photos-videos-leaked-by-security-researchers-law-enforcement-can-use-to-identify-january-6-attackers-2350920 <https://gadgets.ndtv.com/social-networking/news/80tb-parler-posts-photos-videos-leaked-by-security-researchers-law-enforcement-can-use-to-identify-january-6-attackers-2350920>

1. They were hosted on (self-hosted) WordPress, which is written in PHP.
2. There are a billion zillion WordPress plugins, many of them with security issues.
3. Some of Parler’s indeed had major security issues.
4. Some of Parler’s security holes were intentional (e.g., asking for proof, in photo form, of social security card and/or driver’s license in order to become verified).
5. Once people uploaded videos (with metadata like lat/long), did Parler offload them to another site so the original video couldn’t easily be retrieved? Why no, they did not.

So, when some of the security failsafes were removed (their 2FA provider having removed them), they failed open rather than closed, meaning people had MORE access than they should.

https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giudtnl/?utm_source=reddit&utm_medium=web2x&context=3 <https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giudtnl/?utm_source=reddit&utm_medium=web2x&context=3>

I’ve been following @donk_enby on Twitter, who was aiming people at saving site archives for OSINT (open source intelligence) purposes.

What’s just batshit (or, as @questauthority says, flederscheisse): They. Saved. The. Unprocessed. Videos. That. Were. Uploaded.

Wiith the metadata intact.

https://old.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/ <https://old.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/>

Which…people were able to download because of them having failed open. Some of that metadata includes things like: lat/long.

https://www.vice.com/en/article/n7vqew/the-hacker-who-archived-parler-explains-how-she-did-it-and-what-comes-next <https://www.vice.com/en/article/n7vqew/the-hacker-who-archived-parler-explains-how-she-did-it-and-what-comes-next>

Which gives us this map of the 6th of what was uploaded during the insurrection:

https://twitter.com/markk116/status/1349466940658634755 <https://twitter.com/markk116/status/1349466940658634755>

Which is arguably a worse failure than *keeping* the photos with people’s driver’s licenses, etc.

I mean, if you still wanted to keep all that stuff for legal reasons, the right way to do it is to move that hunk o’ data to a separate server and keep track of the URL the processed version is at (for the videos), and not make the private data readily available when your site fails.

Oh, and gosh, a lot of those videos were uploaded from military bases and police stations, surprise, surprise, surprise:

https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897 <https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897>

Also, if you haven’t heard *why* Parler is offline, here’s a rather horrifying sample of the stuff Amazon asked them to remove (and they dragged their feet):

https://twitter.com/benedictevans/status/1350429324739031041 <https://twitter.com/benedictevans/status/1350429324739031041>

Deirdre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20210116/9568608e/attachment.html>


More information about the conspire mailing list