Parler, the Twitter rip-off that served as one of the main organizing tools for the Donald Trump fanatics who stormed the U.S. Capitol on Jan. 6, has been largely offline for more than a week. But even in suspended animation, the preferred online home for QAnon, the Proud Boys, and other elements of the American far-right is still creating trouble.
Decisions by Amazon, Apple, and Google to quit hosting the site and forbid mobile users to download the app have triggered cries of Big Tech censorship. First Amendment and internet regulation politics aside, the way Parler gushed data on its way out the door raises serious cybersecurity questions as well as worries about whether other players on the internet have data breaches in their future.
Though it’s impossible to verify without peeking under Parler’s hood—a task now impossible since the website is offline—the prevailing narrative is that a Parler security flaw (or flaws) allowed a white-hat hacker to download and archive all of Parler’s user data shortly before Amazon Web Services pulled the plug on hosting the site. Among the data presented for the public (and law enforcement) to access included, in some cases, potentially incriminating location data.
Parler relied on Worpress, the world’s most-used content management system. That has led to speculation that WordPress was part of the flaw and that anyone else using WordPress was in danger. However, according to a general consensus of cybersecurity experts, including several contacted for this article, Parler’s data breach didn’t happen simply because Parler used WordPress. Instead, Parler’s user data leaked because CEO John Matze and the site’s architects left major flaws in Parler’s API, the link between Parler’s front-end and its user data.
The “predominant belief” is “that Parler was a rushed, poor design buoyed by right-leaning investors to become pretty large before they really had built a solid foundation, technologically speaking,” Andrew Zolides, a professor of communications at Xavier University who teaches courses in digital design told Observer. (Among Parler’s investors are the right-wing billionaire Rebekah Mercer, who tried to capitalize on right-wing anger at Twitter and Facebook to grow Parler’s audience.)
“While any website has its privacy concerns, Parler seems like an issue of getting too big, too fast and not having the ability or technical know-how to actually prepare for that,” Zolides added.
In a welcome development for anyone concerned about anonymity or security in general, other websites can avoid the Parler trap… provided they aren’t relatively new and small startups who try to compete with established giants like Twitter and Facebook, which is exactly what Parler did.
“Yes, Parler could have been better designed, but realistically speaking, this is the kind of problem that happens when you’re competing against mature companies that have invested billions and billions of dollars into their products,” said Joseph Steinberg, a security expert and author of Cybersecurity for Dummies. “You’re going to have a hard time designing everything that you want in a secure fashion.”
First, the method for the alleged “hack.” Before Parler was yanked from AWS, a Twitter user with the handle @donk_enby figured out how to download the website’s user data—all of which, along with whatever other very public evidence of Parler users breaching the Capitol, assaulting officers, and plotting further violence, was potentially very incriminating, as Gizmodo reported.
@donk_enby eventually snagged 56 terabytes worth of data: photos, videos, and text posts, many of which included some GPS metadata that positively put Parler users in and around the Capitol on January 6, including in secured areas. At least some of this data—56,000 gigabytes—has been used to identify and apprehend riot participants, according to federal affidavits, but there’s no proof positive that the feds used @donk_envy’s data tranche.
But how was it done? Early speculation buzzed that @donk_enby or another hacker may have stolen Parler admin credentials, which would be an illegal act. The accepted theory is that, as The Startup reported and several security experts have outlined, instead, Parler’s own API was used against it to archive the website’s data—and to do so quickly.
Parler’s designers didn’t restrict access to the API by requiring authentication. Users did not need specific credentials to access the data on the back end. That left an enormous back door open.
Most websites aware of basic security protocol don’t allow access to the API without some form of user authentication to ensure the request isn’t malicious. As The Startup pointed out, two common authentication solutions are API keys and “tokens,” both of which require some valid credentials that also allow the website to know who’s accessing the data.
No authentication requirement left a door ajar. On top of that, Parler’s designers didn’t bother to add a second layer of defense in the way of rate-limiting—meaning instead of a door ajar or left cracked, the door was wide open.
Rate-limiting caps how much data a user can access regardless of credentials. Web users may have seen 429 “Too Many Request” error messages out in the wild, which is a sign that there have been too many knocks or attempts to pass through the door. Parler didn’t have this, either, which meant that once the unsecured back end was accessed, @donk_enby was also able to archive Parler’s data within 48 hours. (Oddly enough, as The Startup pointed out, Amazon Web Service has a basic firewall option that Parler didn’t seem to bother with.)
Finally, Parler also allowed posts its users believed were deleted to be both available and easily discovered once someone was in the back end. In the aftermath of the deadly riots, some Parler users, aware of the reams of evidence available on the web, encouraged others to delete their posts from January 6.
All of Parler’s posts were given sequential numbers that increased by 1. Even when those posts were deleted by the user, they remained on the back end. @donk_enby apparently needed to write only a very basic script that found and archived each post, one by one. And since Parler didn’t bother removing geo-tagged data from photos and videos and posts before they were uploaded, that information was also sitting there waiting to be archived.
It’s possible that other websites that use WordPress or other hosting software altogether may have similar security flaws, but they also might not be infamous enough to have those security flaws become the interest of vigilante hackers and thus be breached.
“It is not uncommon for websites to have security flaws, sometimes significant ones, that go unnoticed because they are not popular enough to draw more than simple, often automated, attempts to compromise them,” said Erich Kron, a security expert with KnowBe4, a prominent security solutions firm. “When the site becomes popular quickly, the focus and complexity of these tests increase, often leading to vulnerabilities being discovered.”
One recent example of this phenomenon, Kron said, was Zoom. When the COVID-19 pandemic made all work remote work, Zoom’s previously undetected security flaws were discovered, exploited, and then quickly patched. But with Parler, when security vendors started ditching their erstwhile client, “it left Parler vulnerable at a time they were also a target of attackers, hacktivists and others,” Kron added.
Parler isn’t dead quite yet. Over the weekend, some version of Parler returned on the same web servers that host other fringe sites welcoming hate speech. As of Tuesday evening, the site’s homepage is a “technical difficulties” landing page; site founder John Matze told Fox News the website plans to be fully functional by the end of the month (though mobile users will likely be stuck using the web-based version instead of an app). And there are other homes for the online far-right—though, as Zolides pointed out, “free-speech” focused forums like Gab have been more proactive with content moderation than Parler.
More details may yet emerge on exactly how @donk_enby accessed Parler’s data and whether the “open-door” theory was exactly what happened. (And standing separate from the cybersecurity question are issues of ethics; breach or hack, Parler’s user data was still stolen, as Steinberg said, and a heist is nothing to celebrate.)
Assuming Parler’s data was done in by bad design, for now, the online story of January 6 is one of repeated self-incrimination: unmasked rioters wandering the US Capitol, gleefully and openly discussing their foiled additional plans, posting incriminating evidence to the internet all the while, to a website that was not prepared to keep that evidence anonymous or secure.