Jump to content

Archived

This topic is now archived and is closed to further replies.

retrofade

Far-Right Platform Gab Has Been Hacked—Including Private Data

Recommended Posts

Quote

On Sunday night the WikiLeaks-style group Distributed Denial of Secrets is revealing what it calls GabLeaks, a collection of more than 70 gigabytes of Gab data representing more than 40 million posts. DDoSecrets says a hacktivist who self-identifies as "JaXpArO and My Little Anonymous Revival Project" siphoned that data out of Gab's backend databases in an effort to expose the platform's largely right-wing users. Those Gab patrons, whose numbers have swelled after Parler went offline, include large numbers of Qanon conspiracy theorists, white nationalists, and promoters of former president Donald Trump's election-stealing conspiracies that resulted in the January 6 riot on Capitol Hill.

DDoSecrets cofounder Emma Best says that the hacked data includes not only all of Gab's public posts and profiles—with the exception of any photos or videos uploaded to the site—but also private group and private individual account posts and messages, as well as user passwords and group passwords. "It contains pretty much everything on Gab, including user data and private posts, everything someone needs to run a nearly complete analysis on Gab users and content," Best wrote in a text message interview with WIRED. "It's another gold mine of research for people looking at militias, neo-Nazis, the far right, QAnon, and everything surrounding January 6."

DDoSecrets says it's not publicly releasing the data due to its sensitivity and the vast amounts of private information it contains. Instead the group says it will selectively share it with journalists, social scientists, and researchers. WIRED viewed a sample of the data, and it does appear to contain Gab users' individual and group profiles—their descriptions and privacy settings—public and private posts, and passwords. Gab CEO Andrew Torba acknowledged the breach in a brief statement Sunday.

Passwords for private groups are unencrypted, which Torba says the platform discloses to users when they create one. Individual user account passwords appear to be cryptographically hashed—a safeguard that may help prevent them from being compromised—but the level of security depends on the hashing scheme used and the strength of the underlying password.

https://www.wired.com/story/gab-hack-data-breach-ddosecrets/

 

Ars Technica goes into greater detail on the method used to hack Gab, and how it was made vulnerable to this particular type of exploit. 

Quote

Over the weekend, word emerged that a hacker breached far-right social media website Gab and downloaded 70 gigabytes of data by exploiting a garden-variety security flaw known as an SQL injection. A quick review of Gab’s open source code shows that the critical vulnerability—or at least one very much like it—was introduced by the company’s chief technology officer.

The change, which in the parlance of software development is known as a “git commit,” was made sometime in February from the account of Fosco Marotto, a former Facebook software engineer who in November became Gab’s CTO. On Monday, Gab removed the git commit from its website. Below is an image showing the February software change, as shown from a site that provides saved commit snapshots.

marotto-git-commit.jpg

The commit shows a software developer using the name Fosco Marotto introducing precisely the type of rookie mistake that could lead to the kind of breach reported this weekend. Specifically, line 23 strips the code of “reject” and “filter,” which are API functions that implement a programming idiom that protects against SQL injection attacks.

This idiom allows programmers to compose an SQL query in a safe way that “sanitizes” the inputs that website visitors enter into search boxes and other web fields to ensure that any malicious commands are stripped out before the text is passed to backend servers. In their place, the developer added a call to the Rails function that contains the “find_by_sql” method, which accepts unsanitized inputs directly in a query string. Rails is a widely used website development toolkit.

“Sadly Rails documentation doesn't warn you about this pitfall, but if you know anything at all about using SQL databases in web applications, you'd have heard of SQL injection, and it's not hard to come across warnings that find_by_sql method is not safe,” Dmitry Borodaenko, a former production engineer at Facebook who brought the commit to my attention wrote in an email. “It is not 100% confirmed that this is the vulnerability that was used in the Gab data breach, but it definitely could have been, and this code change is reverted in the most recent commit that was present in their GitLab repository before they took it offline.”

Ironically, Fosco in 2012 warned fellow programmers to use parameterized queries to prevent SQL injection vulnerabilities. Marotto didn’t respond to an email seeking comment for this post. Attempts to contact Gab directly didn't succeed.

https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/

 

As always, there is a relevant xkcd...

fxWOpAi.png

 

@AndroidAggie should get a kick out of this one.

Link to comment
Share on other sites

lmao i learned about sql injections from a jk rowling novel in 2015

why are these guys such noobs

Remember that every argument you have with someone on MWCboard is actually the continuation of a different argument they had with someone else also on MWCboard. 

Link to comment
Share on other sites

On 3/3/2021 at 8:19 PM, happycamper said:

lmao i learned about sql injections from a jk rowling novel in 2015

why are these guys such noobs

I mean... think about the quality of person you'd be getting to work at someplace like Gab.

Link to comment
Share on other sites



  • Recently Browsing   0 members

    • No registered users viewing this page.


×
×
  • Create New...