<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">So you may have heard the alt-nut site Parler is offline. This isn’t related to it being offline per se, but it IS related to their security issues.<div class=""><br class=""></div><div class=""><a href="https://gadgets.ndtv.com/social-networking/news/80tb-parler-posts-photos-videos-leaked-by-security-researchers-law-enforcement-can-use-to-identify-january-6-attackers-2350920" class="">https://gadgets.ndtv.com/social-networking/news/80tb-parler-posts-photos-videos-leaked-by-security-researchers-law-enforcement-can-use-to-identify-january-6-attackers-2350920</a></div><div class=""><div class=""><br class=""></div><div class="">1. They were hosted on (self-hosted) WordPress, which is written in PHP.</div><div class="">2. There are a billion zillion WordPress plugins, many of them with security issues.</div><div class="">3. Some of Parler’s indeed had major security issues.</div></div><div class="">4. Some of Parler’s security holes were intentional (e.g., asking for proof, in photo form, of social security card and/or driver’s license in order to become verified).</div><div class="">5. Once people uploaded videos (with metadata like lat/long), did Parler offload them to another site so the original video couldn’t easily be retrieved? Why no, they did not.</div><div class=""><br class=""></div><div class="">So, when some of the security failsafes were removed (their 2FA provider having removed them), they failed open rather than closed, meaning people had MORE access than they should.</div><div class=""><br class=""></div><div class=""><a href="https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giudtnl/?utm_source=reddit&utm_medium=web2x&context=3" class="">https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giudtnl/?utm_source=reddit&utm_medium=web2x&context=3</a></div><div class=""><br class=""></div><div class="">I’ve been following @donk_enby on Twitter, who was aiming people at saving site archives for OSINT (open source intelligence) purposes.</div><div class=""><br class=""></div><div class="">What’s just batshit (or, as @questauthority says, flederscheisse): They. Saved. The. Unprocessed. Videos. That. Were. Uploaded.</div><div class=""><br class=""></div><div class="">Wiith the metadata intact.</div><div class=""><br class=""></div><div class=""><a href="https://old.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/" class="">https://old.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/</a></div><div class=""><br class=""></div><div class="">Which…people were able to download because of them having failed open. Some of that metadata includes things like: lat/long.</div><div class=""><br class=""></div><div class=""><a href="https://www.vice.com/en/article/n7vqew/the-hacker-who-archived-parler-explains-how-she-did-it-and-what-comes-next" class="">https://www.vice.com/en/article/n7vqew/the-hacker-who-archived-parler-explains-how-she-did-it-and-what-comes-next</a></div><div class=""><br class=""></div><div class="">Which gives us this map of the 6th of what was uploaded during the insurrection:</div><div class=""><br class=""></div><div class=""><a href="https://twitter.com/markk116/status/1349466940658634755" class="">https://twitter.com/markk116/status/1349466940658634755</a></div><div class=""><br class=""></div><div class="">Which is arguably a worse failure than *keeping* the photos with people’s driver’s licenses, etc.</div><div class=""><br class=""></div><div class="">I mean, if you still wanted to keep all that stuff for legal reasons, the right way to do it is to move that hunk o’ data to a separate server and keep track of the URL the processed version is at (for the videos), and not make the private data readily available when your site fails.</div><div class=""><br class=""></div><div class="">Oh, and gosh, a lot of those videos were uploaded from military bases and police stations, surprise, surprise, surprise:</div><div class=""><br class=""></div><div class=""><a href="https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897" class="">https://gizmodo.com/leaked-parler-data-points-to-users-at-police-stations-1846059897</a></div><div class=""><br class=""></div><div class="">Also, if you haven’t heard *why* Parler is offline, here’s a rather horrifying sample of the stuff Amazon asked them to remove (and they dragged their feet):</div><div class=""><br class=""></div><div class=""><a href="https://twitter.com/benedictevans/status/1350429324739031041" class="">https://twitter.com/benedictevans/status/1350429324739031041</a></div><div class=""><br class=""></div><div class="">Deirdre</div></body></html>