Parler hacked and TITSUP

RonSwanson

RonSwanson

Expert Member
Joined
May 21, 2018
Messages
4,402
Rookie mistake.

From Wired:
Parler's cardinal security sin is known as an insecure direct object reference, says Kenneth White, codirector of the Open Crypto Audit Project, who looked at the code of the download tool @donk_enby posted online. An IDOR occurs when a hacker can simply guess the pattern an application uses to refer to its stored data. In this case, the posts on Parler were simply listed in chronological order: Increase a value in a Parler post url by one, and you'd get the next post that appeared on the site. Parler also doesn't require authentication to view public posts and doesn't use any sort of "rate limiting" that would cut off anyone accessing too many posts too quickly. Together with the IDOR issue, that meant that any hacker could write a simple script to reach out to Parler's web server and enumerate and download every message, photo, and video in the order they were posted.
Click to expand...

Insecure Direct Object Reference Prevention - OWASP Cheat Sheet Series

Website with the collection of all the cheat sheets of the project.
cheatsheetseries.owasp.org cheatsheetseries.owasp.org
Click to expand...
 
RonSwanson

RonSwanson

Expert Member
Joined
May 21, 2018
Messages
4,402
rietrot said:
Well just coping a bunch of post that is public in anycase isn't hacking.

That's like saying every person that copies or print screens a tweet hacked Twitter.
Click to expand...

Not sure what exactly your point is. Finding money on the street doesn't make you a bank robber, agreed.

Whilst the skill level required to write the acquisition script is low, the fact that it was an automated attack suggests malicious intent (to steal with the aim of doxxing). It doesn't make it right.

If you leave your home unlocked for 10 days, and leave, someone comes along with a truck, posts a whistleblower in the street and cleans you out, then it could be argued that you haven't taken the due care necessary to protect your assets, agreed. It doen't make the thief a better person though, he is still a thief, whose intention was clearly to deprive you of your stuff, even though you didn't protect it.
 
rietrot

rietrot

Honorary Master
Joined
Aug 26, 2016
Messages
22,900
RonSwanson said:
Not sure what exactly your point is. Finding money on the street doesn't make you a bank robber, agreed.

Whilst the skill level required to write the acquisition script is low, the fact that it was an automated attack suggests malicious intent (to steal with the aim of doxxing). It doesn't make it right.

If you leave your home unlocked for 10 days, and leave, someone comes along with a truck, posts a whistleblower in the street and cleans you out, then it could be argued that you haven't taken the due care necessary to protect your assets, agreed. It doen't make the thief a better person though, he is still a thief, whose intention was clearly to deprive you of your stuff, even though you didn't protect it.
Click to expand...
Public information is public. You can't really steal it.

To dox someone would require private information.
 
rietrot

rietrot

Honorary Master
Joined
Aug 26, 2016
Messages
22,900
RonSwanson said:
Post a photo of your driver's license then if you think that it is public information.
Click to expand...
My personal details is private. Not public.

You would require that to dox me.
I'm not going to dox myself by posting personal details online. But if someone does that then that information is also made public.

Why do you think public parlor post contain driver licenses?
 
RonSwanson

RonSwanson

Expert Member
Joined
May 21, 2018
Messages
4,402
rietrot said:
My personal details is private. Not public.

You would require that to dox me.
I'm not going to dox myself by posting personal details online. But if someone does that then that information is also made public.

Why do you think public parlor post contain driver licenses?
Click to expand...
Reddit rumour.

Regardless of whether public or private, the fact that it was scripted to hoover it all up makes the intent malicious.
 
You must log in or register to reply here.
Top