bobdizole
All American
Posts: 3,517
Joined: Dec 2017
Reputation: 343
I Root For: MT
Location:
|
RE: Parler data scrape
(01-12-2021 01:12 PM)bullet Wrote: (01-12-2021 12:42 PM)bobdizole Wrote: (01-12-2021 12:39 PM)MileHighBronco Wrote: (01-12-2021 11:47 AM)bobdizole Wrote: Link
FYI for those that do not know the difference. A data scrape is not necessarily a hack. They use legal, but questionable means, to access the APIs of websites to automate massive amounts of data archiving.
Quote:The scrape includes user profile data, user information, and which users had administration rights for specific groups within the social network. Twitter user @donk_enby, who first announced about the scrape, claims that over a million video URLs, some deleted and private, were taken.
“These are original, unprocessed, raw files as uploaded to Parler with all associated metadata,” claims one of the authors.
Security researchers claim that the scraped posts are linked to accounts that posted them, and some of the video and image data have geolocation information. That is said also to include data from Parler’s “Verified Citizens,” users of the network who verified their identity by uploading photographs of government-issued IDs, such as a driver’s license.
However, after the news about the data scrape went global, the author of the hack @donk_enby explained in a tweet that neither her nor others have collected any personal data that Parler users did not make public themselves.
“Only things that were available publicly via the web were archived. I don’t have you e-mail address, phone or credit card number. unless you posted it yourself on Parler,” she stated on Twitter.
The data might prove valuable to law enforcement since many who participated in the riots deleted their posts and videos afterward. The data scrape includes deleted posts, meaning that Parler stored user data after users deleted it.
Parler, a far-right friendly site, was among the key candidates to host President Donald Trump’s social media presence as Twitter and Facebook suspended his accounts for instigating violence.
Just have to laugh at the characterization. This is obviously a left wing outfit that wrote this. They can deny it but their use of language betrays them, as well as their zeal to get law enforcement after conservatives.
Unlike twitter, Parler is welcoming to ALL posters. They don't drive them off or ban them, unless they have committed a crime. To the far left, it may appear a "far right" site but part of that is that they don't like the idea of free speech. They don't like any outlet that lets conservative voices be heard.
I don't disagree, it's obviously a left leaning article. My point is more the abysmal security of the site is likely going to lead to some serious trouble for it's users
Quote:A key reason for her success: Parler’s site was a mess. Its public API used no authentication. When users deleted their posts, the site failed to remove the content and instead only added a delete flag to it. Oh, and each post carried a numerical ID that was incremented from the ID of the most recently published one.
The rookie code made it easy to automate the scraping, as this script used by donk_enby’s archival team demonstrates. As a result, massive numbers of posts that discussed the insurrection before, during, and after it was carried out will be preserved indefinitely so that they’re available to researchers, journalists, prosecutors, and others.
Another amateur mistake was Parler’s failure to scrub geolocations from images and videos posted online. Sites like Twitter and Google routinely remove such metadata from content posted by their users. The video files hosted on Parler, by contrast, were “raw,” meaning they still contained this information.
Twitter and Google sell that data.
At least they anonymize the data before they sell it(well they claim to). This data scrape just told the whole world everything it's users ever posted and if they shared an image or video where they took it.
Quote:Even so, White points out that Parler appears to have failed to scrub geolocation metadata from images and videos before they were posted. So while the data that hackers have pulled from the site may be public, the result is that much of that archived content also contains Parler users' detailed locations, likely revealing the GPS coordinates of many of their homes. Data artist Kyle McDonald has already created a visualization of the locations of 68,000 of the archived Parler videos.
"This is as bad as it gets," White says. "It's gross incompetence on the part of Parler. They marketed themselves as a private, secure, unmoderated platform, and instead it's comedy hour."
Quote:arler's cardinal security sin is known as an insecure direct object reference, says Kenneth White, codirector of the Open Crypto Audit Project, who looked at the code of the download tool @donk_enby posted online. An IDOR occurs when a hacker can simply guess the pattern an application uses to refer to its stored data. In this case, the posts on Parler were simply listed in chronological order: Increase a value in a Parler post url by one, and you'd get the next post that appeared on the site. Parler also doesn't require authentication to view public posts and doesn't use any sort of "rate limiting" that would cut off anyone accessing too many posts too quickly. Together with the IDOR issue, that meant that any hacker could write a simple script to reach out to Parler's web server and enumerate and download every message, photo, and video in the order they were posted.
"It's just a straight sequence, which is mind-numbing to me," says White. "This is like a Computer Science 101 bad homework assignment, the kind of stuff that you would do when you're first learning how web servers work. I wouldn't even call it a rookie mistake because, as a professional, you would never write something like this."
Services like Twitter, by contrast, randomize the URLs of posts so they can't be guessed. And while they offer APIs that give developers access to tweets en masse, they carefully restrict access to those APIs. By contrast, Parler had no authentication for an API that offered access to all its public contents, says Josh Rickard, a security engineer for security firm Swimlane. "Honestly it seemed like an oversight, or just laziness," says Rickard, who says he analyzed Parler's security architecture in a personal capacity. "They didn’t think about how big they were going to get, so they didn’t do this properly."
This is almost as bad the time a large restaurant chain started selling e-gift cards....in numerical order
|
|