Parler hacked and TITSUP

RonSwanson

Expert Member
Joined
May 21, 2018
Messages
4,402
Rookie mistake.

From Wired:
Parler's cardinal security sin is known as an insecure direct object reference, says Kenneth White, codirector of the Open Crypto Audit Project, who looked at the code of the download tool @donk_enby posted online. An IDOR occurs when a hacker can simply guess the pattern an application uses to refer to its stored data. In this case, the posts on Parler were simply listed in chronological order: Increase a value in a Parler post url by one, and you'd get the next post that appeared on the site. Parler also doesn't require authentication to view public posts and doesn't use any sort of "rate limiting" that would cut off anyone accessing too many posts too quickly. Together with the IDOR issue, that meant that any hacker could write a simple script to reach out to Parler's web server and enumerate and download every message, photo, and video in the order they were posted.

 

RonSwanson

Expert Member
Joined
May 21, 2018
Messages
4,402
Well just coping a bunch of post that is public in anycase isn't hacking.

That's like saying every person that copies or print screens a tweet hacked Twitter.

Not sure what exactly your point is. Finding money on the street doesn't make you a bank robber, agreed.

Whilst the skill level required to write the acquisition script is low, the fact that it was an automated attack suggests malicious intent (to steal with the aim of doxxing). It doesn't make it right.

If you leave your home unlocked for 10 days, and leave, someone comes along with a truck, posts a whistleblower in the street and cleans you out, then it could be argued that you haven't taken the due care necessary to protect your assets, agreed. It doen't make the thief a better person though, he is still a thief, whose intention was clearly to deprive you of your stuff, even though you didn't protect it.
 

rietrot

Honorary Master
Joined
Aug 26, 2016
Messages
22,900
Not sure what exactly your point is. Finding money on the street doesn't make you a bank robber, agreed.

Whilst the skill level required to write the acquisition script is low, the fact that it was an automated attack suggests malicious intent (to steal with the aim of doxxing). It doesn't make it right.

If you leave your home unlocked for 10 days, and leave, someone comes along with a truck, posts a whistleblower in the street and cleans you out, then it could be argued that you haven't taken the due care necessary to protect your assets, agreed. It doen't make the thief a better person though, he is still a thief, whose intention was clearly to deprive you of your stuff, even though you didn't protect it.
Public information is public. You can't really steal it.

To dox someone would require private information.
 

rietrot

Honorary Master
Joined
Aug 26, 2016
Messages
22,900
Post a photo of your driver's license then if you think that it is public information.
My personal details is private. Not public.

You would require that to dox me.
I'm not going to dox myself by posting personal details online. But if someone does that then that information is also made public.

Why do you think public parlor post contain driver licenses?
 

RonSwanson

Expert Member
Joined
May 21, 2018
Messages
4,402
My personal details is private. Not public.

You would require that to dox me.
I'm not going to dox myself by posting personal details online. But if someone does that then that information is also made public.

Why do you think public parlor post contain driver licenses?
Reddit rumour.

Regardless of whether public or private, the fact that it was scripted to hoover it all up makes the intent malicious.
 
Top