Jump to content

Former Social Network Parler has over 50TB of Data Leaked Online

piemadd

Disclaimer: Please do not talk about politics here! This post is meant to surround the data leak and the data leak only. It is again the rules of the forum to talk about politics!

 

I have removed any mentions of political anything from my quotes, so again, I am doing my best to keep politics out of this. That is why some quotes seem to start and end in the middle of sentences.

 

Summary

I do good with bullet points so here goes:

  • Parler is built on WordPress
  • One of the WordPress plugins was vulnerable
  • A Security researcher was able to use this plugin to create admin accounts on the platform
  • These admin accounts were used to pull as much data from the platform as possible

 

Quotes

Quote

Article 1: ...a lone researcher began an effort to catalogue the posts of social media users across Parler, a platform founded to provide [redacted] users a safe haven for uninhibited “free speech”...

Security researcher did the work. Now lets take a look into what they uncovered and how.
 

Quote

Article 1: The researcher, who asked to be referred to by their Twitter handle, @donk_enby, began with the goal of archiving every post from January 6, the day of [absolutely nothing happening]; what she called a bevy of “very incriminating” evidence. According to the Atlantic Council’s Digital Forensic Research Lab, among other sources, Parler is one of a several apps used by the [redacted] to coordinate their [redacted]...

So it seems like said researcher believes there is criminal evidence on this platform for an event which shall not be named.
 

Quote

Article 1: Operating on little sleep, @donk_enby began the work of archiving all of Parler’s posts, ultimately capturing around 99 percent of its content. In a tweet early Sunday, @donk_enby said she was crawling some 1.1 million Parler video URLs. “These are the original, unprocessed, raw files as uploaded to Parler with all associated metadata,” she said. Included in this data tranche, now more than 56 terabytes in size, @donk_enby confirmed that the raw video files include GPS metadata pointing to exact locations of where the videos were taken.

This is where it gets crazy. If you missed it, Parler failed to removed identifying metadata from the videos hosted on their platform, giving gps location data of each of the users. But wait, it gets worse... 
 

Quote

Article 2: In their viral post, the Redditor asserted that one of Parler's hosting platforms, Twilio, accidentally exposed the app's security authentications via a press release. This in turn could have allowed any person to create a blank administrator account and access all of Parler's private content, which, besides message history and geo data, might have included users' driver's license photos, which were used to create a verified account.

Oof is really all i can say here. All I can assume now is that there will be people who will match driver's licenses with geolocation data of images to forward any criminal activity onto the FBI and/or local law enforcement.

 

UPDATE: As @Blade of Grasspointed out, the archive pulled its data from a poorly created api. You can read about it in the tweet below:
 

Spoiler

 


 

Quote

Article 1: The privacy implications are obvious, but the copious data may also serve as a fertile hunting ground for law enforcement. Federal and local authorities have arrested dozens of suspects in recent days accused of taking part in [nothing]

Beyond the privacy implications, we really don't know what will happen to those whose data is leaked. There is no doubt that a database of compiled data will be up for sale on the dark web within weeks, or even days for that matter.


 

Quote

Article 2: According to tech writer Matthew Sheffield, the breach was possible due to Parler's long-criticized lax security standards. Specifically, Sheffield blames the potential leak on the app "never actually deleting anything its users posted," while keeping the data accessible to administrator users.

One final thing we can see here is that no data has ever been deleted from Parler, on top of their lax security. This is one of the reasons why the leakers could access so much information, even if it was deleted.
 

My thoughts

To put it simply, I am disappointed. I was not a user of Parler, but I do have to say if you market your platform towards a growing group of people not satisfied with their current social media options for one reason or another, you should do your best to make sure the security of your users is protected as much as possible. Who knows what will happen with the data, but we can for sure know that it is going to spread like wildfire.

 

Sources

Article 1: https://gizmodo.com/every-deleted-parler-post-many-with-users-location-dat-1846032466

Article 2: https://www.rt.com/usa/512152-parler-hacker-data-leak/

i like trains 🙂

Link to comment
Share on other sites

Link to post
Share on other sites

The fact that thousands of Americans uploaded images of the front and back of their state driver's licenses just to become 'verified citizens' on a social media app is the biggest indication I've seen that we need better privacy and technological literacy education. 

Main PC:

AMD Ryzen 7 5800X • Noctua NH-D15 • MSI MAG B550 Tomahawk • 2x8GB G.skill Trident Z Neo 3600MHz CL16 • MSI VENTUS 3X GeForce RTX 3070 OC • Samsung 970 Evo 1TB • Samsung 860 Evo 1TB • Cosair iCUE 465X RGB • Corsair RMx 750W (White)

 

Peripherals/Other:

ASUS VG27AQ • G PRO K/DA • G502 Hero K/DA • G733 K/DA • G840 K/DA • Oculus Quest 2 • Nintendo Switch (Rev. 2)

 

Laptop (Dell XPS 13):

Intel Core i7-1195G7 • Intel Iris Xe Graphics • 16GB LPDDR4x 4267MHz • 512GB M.2 PCIe NVMe SSD • 13.4" OLED 3.5K InfinityEdge Display (3456x2160, 400nit, touch). 

 

Got any questions about my system or peripherals? Feel free to tag me (@bellabichon) and I'll be happy to give you my two cents. 

 

PSA: Posting a PCPartPicker list with no explanation isn't helpful for first-time builders :)

Link to comment
Share on other sites

Link to post
Share on other sites

16 minutes ago, pierom_qwerty said:

One of the WordPress plugins was vulnerable

This is why patching your stuff is important. It worries me how many important systems are probably still running Server 2008/R2 without ESU licensing.

Link to comment
Share on other sites

Link to post
Share on other sites

27 minutes ago, pierom_qwerty said:

All I can assume now is that there will be people who will match driver's licenses with geolocation data of images to forward any criminal activity onto the FBI and/or local law enforcement.

But can the FBI or law enforcement use evidence that was acquired, at best, in a legally questionable way? 

 

 

Side note, I got a chuckle out of reading an article that looks like a government info release... half way through a sentence and bam, [redacted].

 

Link to comment
Share on other sites

Link to post
Share on other sites

18 minutes ago, Oshino Shinobu said:

This is why patching your stuff is important. It worries me how many important systems are probably still running Server 2008/R2 without ESU licensing.

It worries me at how many places still have a NT server kicking around internally (due to ...reasons...).

 

Honestly though, it can be hard to justify purchasing MS Server products when you factor in all the licensing and agreements you have to do...it can get pretty expensive for smaller companies to stay current.

 

With that said, yes this is why it's important to patch and not just blindly use libraries you find with Google.

3735928559 - Beware of the dead beef

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, The_russian said:

But can the FBI or law enforcement use evidence that was acquired, at best, in a legally questionable way? 

 

 

Side note, I got a chuckle out of reading an article that looks like a government info release... half way through a sentence and bam, [redacted].

 

I guess even if it's evidence they couldn't present in court, it may let them know who they should be looking for evidence on, and in extreme cases who belongs on a terrorist watch list. It's such weapons grade incompetence it's almost like it was intentional, like Parler was set up by the 'other side' to one day leak all this stuff.   

Link to comment
Share on other sites

Link to post
Share on other sites

7 minutes ago, Monkey Dust said:

I guess even if it's evidence they couldn't present in court, it may let them know who they should be looking for evidence on, and in extreme cases who belongs on a terrorist watch list. It's such weapons grade incompetence it's almost like it was intentional, like Parler was set up by the 'other side' to one day leak all this stuff.   

"Fruit of the poisonous tree"

Link to comment
Share on other sites

Link to post
Share on other sites

This whole thing seems like a shitshow, but man, this is honestly the worst part:

56 minutes ago, pierom_qwerty said:

One final thing we can see here is that no data has ever been deleted from Parler, on top of their lax security.

We need to hold companies more accountable when it comes to privacy, deleted means deleted. If I delete an account, my data should be completely deleted or altered so that it is no longer personally identifiable, otherwise what is even the point of deleting?

CPU: Intel Core i7-5820K | Motherboard: AsRock X99 Extreme4 | Graphics Card: Gigabyte GTX 1080 G1 Gaming | RAM: 16GB G.Skill Ripjaws4 2133MHz | Storage: 1 x Samsung 860 EVO 1TB | 1 x WD Green 2TB | 1 x WD Blue 500GB | PSU: Corsair RM750x | Case: Phanteks Enthoo Pro (White) | Cooling: Arctic Freezer i32

 

Mice: Logitech G Pro X Superlight (main), Logitech G Pro Wireless, Razer Viper Ultimate, Zowie S1 Divina Blue, Zowie FK1-B Divina Blue, Logitech G Pro (3366 sensor), Glorious Model O, Razer Viper Mini, Logitech G305, Logitech G502, Logitech G402

Link to comment
Share on other sites

Link to post
Share on other sites

34 minutes ago, Monkey Dust said:

It's such weapons grade incompetence it's almost like it was intentional, like Parler was set up by the 'other side' to one day leak all this stuff.   

Even though this most likely wasn't the case, this level of incompetence is kind of insane in 2021. Especially when you consider that the whole premise of the website was to host controversial opinions (afaik), you'd think they'd take more precautions to secure their users data and personally identifiable info, by the looks of it they were doing the complete opposite. lol

CPU: Intel Core i7-5820K | Motherboard: AsRock X99 Extreme4 | Graphics Card: Gigabyte GTX 1080 G1 Gaming | RAM: 16GB G.Skill Ripjaws4 2133MHz | Storage: 1 x Samsung 860 EVO 1TB | 1 x WD Green 2TB | 1 x WD Blue 500GB | PSU: Corsair RM750x | Case: Phanteks Enthoo Pro (White) | Cooling: Arctic Freezer i32

 

Mice: Logitech G Pro X Superlight (main), Logitech G Pro Wireless, Razer Viper Ultimate, Zowie S1 Divina Blue, Zowie FK1-B Divina Blue, Logitech G Pro (3366 sensor), Glorious Model O, Razer Viper Mini, Logitech G305, Logitech G502, Logitech G402

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, pierom_qwerty said:

 

Summary

I do good with bullet points so here goes:

  • Parler is built on WordPress
  • One of the WordPress plugins was vulnerable
  • A Security researcher was able to use this plugin to create admin accounts on the platform
  • These admin accounts were used to pull as much data from the platform as possible

 

 

Wordpress is the single, worst, CMS that is written and used by people who haven't the slightest understanding of security. WP does not come with security. Period. You have to buy plugins that only work on properly setup WP installations, of which few are. There is no security by default. 

 

I'm going to be blunt. I manage, or have previously managed WP sites, and when I couldn't get ahold of the owner of the site to do an emergency fix, I literately went to the mysql engine, and changed the email on the admin user, reset the password, did whatever I needed to do, and then copied the email back and restored the previous password.

 

Adding admin users, is absolutely trivial on wordpress, and the admin will never see them unless they're paying attention or have a security plugin that actually filters admins to ip addresses.

 

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, bellabichon said:

The fact that thousands of Americans uploaded images of the front and back of their state driver's licenses just to become 'verified citizens' on a social media app is the biggest indication I've seen that we need better privacy and technological literacy education. 

 

Eh i had paypal ask me for a lot more several years ago. Which was why i stopped using them. Your right it's somthing that shouldn't happen but when you've got legitimate mainstream sites doing it your going to see this kind of stupidity

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, Kisai said:

~~snip~~

Yep, i hate wordpress so much. Most things you would use wordpress for can be done better and more securely through something like wix, weebly, etc.

i like trains 🙂

Link to comment
Share on other sites

Link to post
Share on other sites

13 minutes ago, CarlBar said:

 

Eh i had paypal ask me for a lot more several years ago. Which was why i stopped using them. Your right it's somthing that shouldn't happen but when you've got legitimate mainstream sites doing it your going to see this kind of stupidity

But I feel like PayPal has a slightly more valid reason to collect that kind of information, being a digital wallet and all. All the identity verification did on Parler was prove you were a 'real american' or whatever. 

Main PC:

AMD Ryzen 7 5800X • Noctua NH-D15 • MSI MAG B550 Tomahawk • 2x8GB G.skill Trident Z Neo 3600MHz CL16 • MSI VENTUS 3X GeForce RTX 3070 OC • Samsung 970 Evo 1TB • Samsung 860 Evo 1TB • Cosair iCUE 465X RGB • Corsair RMx 750W (White)

 

Peripherals/Other:

ASUS VG27AQ • G PRO K/DA • G502 Hero K/DA • G733 K/DA • G840 K/DA • Oculus Quest 2 • Nintendo Switch (Rev. 2)

 

Laptop (Dell XPS 13):

Intel Core i7-1195G7 • Intel Iris Xe Graphics • 16GB LPDDR4x 4267MHz • 512GB M.2 PCIe NVMe SSD • 13.4" OLED 3.5K InfinityEdge Display (3456x2160, 400nit, touch). 

 

Got any questions about my system or peripherals? Feel free to tag me (@bellabichon) and I'll be happy to give you my two cents. 

 

PSA: Posting a PCPartPicker list with no explanation isn't helpful for first-time builders :)

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, PCGuy_5960 said:

This whole thing seems like a shitshow, but man, this is honestly the worst part:

We need to hold companies more accountable when it comes to privacy, deleted means deleted. If I delete an account, my data should be completely deleted or altered so that it is no longer personally identifiable, otherwise what is even the point of deleting?

Honestly the way how Parler was run gave me the impression that the entire thing was a massive shitshow. The fact that they don't actually delete anything despite asking for sensitive info including state issued IDs just confirms it.

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, The_russian said:

But can the FBI or law enforcement use evidence that was acquired, at best, in a legally questionable way? 

 

 

Side note, I got a chuckle out of reading an article that looks like a government info release... half way through a sentence and bam, [redacted].

 

Use data presented, yes. Use it in Court, 90% unlikely. It can be done, see the Dread Pirate Roberts case, but it takes some serious work on the Prosecutor's side to accomplish. They almost rarely won't do that amount of work. (In the Dread Pirate Roberts case, they had a FBI employee that scammed a huge supply of Bitcoins during the case, so he got a bunch of data illegally in the process.)

 

As to the topic, somewhere around the 10 Gb range, this stops being "research" and became an attack surface discovery & exploitation. The only groups that have the type of use for that much data are Security Services or Intelligence Agencies. It wasn't called "Total Information Awareness" for nothing. There's still money to be made when you find a treasure trove.

Link to comment
Share on other sites

Link to post
Share on other sites

Ok.  Hopefully I can say that things which you have been told about Parler are at best half truths written by people who did not use it.  I did.  Any questions anyone would like me to answer I'm available.  

Link to comment
Share on other sites

Link to post
Share on other sites

12 minutes ago, Taf the Ghost said:

Use data presented, yes. Use it in Court, 90% unlikely. It can be done, see the Dread Pirate Roberts case, but it takes some serious work on the Prosecutor's side to accomplish. They almost rarely won't do that amount of work. (In the Dread Pirate Roberts case, they had a FBI employee that scammed a huge supply of Bitcoins during the case, so he got a bunch of data illegally in the process.)

 

As to the topic, somewhere around the 10 Gb range, this stops being "research" and became an attack surface discovery & exploitation. The only groups that have the type of use for that much data are Security Services or Intelligence Agencies. It wasn't called "Total Information Awareness" for nothing. There's still money to be made when you find a treasure trove.

IMO i feel like the FBI is going to use the info from this leak to then know who they need to focus on. Then they might do something like use security camera footage in the [unnamed building] and also publicly available info from parlor (ie a selfie taken by a proposed defendant for [doing something in] the [unnamed building]) to gather enough evidence to get a case. Will the parlor leak be presented in court? probably not. will it be used in investigations? i dont doubt it 

i like trains 🙂

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, Vanderburg said:

Security researcher? More like a criminal hacker.

Technically he did nothing wrong. Parler is based on WordPress and they allowed the data to be accessed.

 

43 minutes ago, pierom_qwerty said:

IMO i feel like the FBI is going to use the info from this leak to then know who they need to focus on. Then they might do something like use security camera footage in the [unnamed building] and also publicly available info from parlor (ie a selfie taken by a proposed defendant for [doing something in] the [unnamed building]) to gather enough evidence to get a case. Will the parlor leak be presented in court? probably not. will it be used in investigations? i dont doubt it 

The best evidence is self-incriminating evidence!

 

With access to proper hardware which the US gov has, it could take as little as a few hours for deep learning models to process images, audio, video, and text to identify every person in them.

 

When it comes to national security issues, the US government basically gets to use whatever evidence they can find. It’s not the same as a typical civil or criminal case.

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, bellabichon said:

But I feel like PayPal has a slightly more valid reason to collect that kind of information, being a digital wallet and all. All the identity verification did on Parler was prove you were a 'real american' or whatever. 

 

While i get what your saying there, and somewhat agree, it's still the case that we have an example of a digital wallet asking for a level of info, (they wanted more than just this), that i'd expect from a bank or government agency. Thats not a good thing to be doing and it sets a bad precedent. As another example of this effect. The whole reason the early phishing scams where so effective wasn't just human idocy. It was because the internet was a wild west in terms of type and nature of e-mail communications so a lot of them where asking reasonable things for the time they happened in. The change in the years since to not do certain things has gone a long way towards making filtering that stuff out much easier for both users and automated filters because it's no longer done nor acceptable.

Link to comment
Share on other sites

Link to post
Share on other sites

@pierom_qwertyseems like the method of data retrieval is incorrect, they claimed to have used a poorly designed enumerable public API, no credentials of any kind required. 

lol

15" MBP TB

AMD 5800X | Gigabyte Aorus Master | EVGA 2060 KO Ultra | Define 7 || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

Link to comment
Share on other sites

Link to post
Share on other sites

4 hours ago, Vanderburg said:

Man, there sure are a lot of lawyers on this forum...

She, the hacker, made a copy of publicly accessible files that anyone could have accessed using a crawler. She didn’t break in to copy the files.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, Blade of Grass said:

@pierom_qwertyseems like the method of data retrieval is incorrect, they claimed to have used a poorly designed enumerable public API, no credentials of any kind required. 

lol

Thank you! I was just typing a response, didn’t know about that tweet.

 

so yea, technically they did nothing illegal.

Link to comment
Share on other sites

Link to post
Share on other sites

Guest
This topic is now closed to further replies.

×