Parler’s amateur coding could come back to haunt Capitol Hill rioters

By now, you may have heard of the hacker who says she scraped 99 percent of posts from Parler, the Twitter-wannabe site used by Trump supporters to help organize last Wednesday’s violent insurrection on Capitol Hill. What you may not know yet is the abysmal coding and security that made the scraping so easy.

To recap, the scraping was pulled off by a hacker who goes by the handle donk_enby. She originally set out to archive content posted to Parler last Wednesday in hopes of preserving self-incriminating material before account holders came to their senses and deleted it. By Sunday, donk_enby said she had collected roughly 80 terabytes of posts, including more than 1 million videos, many of which contained the GPS metadata identifying the exact locations of where the videos were shot.

...

The rookie code made it easy to automate the scraping, as this script used by donk_enby’s archival team demonstrates. As a result, massive numbers of posts that discussed the insurrection before, during, and after it was carried out will be preserved indefinitely so that they’re available to researchers, journalists, prosecutors, and others.

https://arstechnica.com/information...ome-back-to-haunt-capitol-hill-rioters/?amp=1

Looks like we'll soon be able to see just what trash was posted to Parler that got them dumped by Amazon, Apple, etc. Hope the folks here who also had a Parler account didn't post anything illegal. Also, maybe change your passwords. A site made this poorly probably didn't do a great job of protecting log in credentials, either.

 

scraping content from publicly-available websites is not particularly challenging. It'd be fairly simple to do the same thing to Twitter, for example, if someone cared to.

 

You'll probably find the same stuff that'd you find on Twitter...

Calls to destroy symbols of capitalism, child porn, promises to eradicate Jews

Only difference is, you'll be outraged by it.

 

It kills me that it went offline. The site was probably written in php, all you need is copy folders with contents from one server to another and then just reconfigure DNS. Even if it was written in .NET - they would just need to publish website to the new server.
They had a huge surge of users in the last several months and they should have generated enough cash from advertising to be able to buy 10-15 servers and work towards owning the infrastructure.

Just mismanagement and low quality web developers.

 

You should read the full post to see the extent of the problem. Even group only posts didn't actually require a&a to access, and each post number was just an increment of the previous one. So all the "hacker" had to do was get one URL and then increment the number to traverse across everything. Plus, the site didn't strip meta data from pictures or videos like most other sites do.

 

This should serve as a warning to all of us: There is no anonymity on the internet.

Same on this site: If you post a picture taken with your phone, it is likely that it contains location data, and people could figure out your identity from it. So, be careful everyone about what you post. If it is something that you wouldn't want your mother/wife/kids to see, it is better to not post it. If you do, they may at one point find out about it.

 

The site was probably written in php, all you need is copy folders with contents from one server to another and then just reconfigure DNS. Even if it was written in .NET
Not sure where you are going with that statement. The .NET would handle all the WebAPI/AJAX calls and any backend data. One could just hit the F12 function key and see the source code.

https://www.tutorialspoint.com/php/php_introduction.htm

• PHP is a server side scripting language that is embedded in HTML. It is used to manage dynamic content, databases, session tracking, even build entire e-commerce sites.
  
  
• It is integrated with a number of popular databases, including MySQL, PostgreSQL, Oracle, Sybase, Informix, and Microsoft SQL Server.
  
  
• PHP is pleasingly zippy in its execution, especially when compiled as an Apache module on the Unix side. The MySQL server, once started, executes even very complex queries with huge result sets in record-setting time.
  
  
• PHP supports a large number of major protocols such as POP3, IMAP, and LDAP. PHP4 added support for Java and distributed object architectures (COM and CORBA), making n-tier development a possibility for the first time.
  
  
• PHP is forgiving: PHP language tries to be as forgiving as possible.
  
  
• PHP Syntax is C-Like.
  

 

The vast majority of anarchist and insurrectionist communications, according to journalist Glenn Greenwald, has been committed on Facebook and Twitter. Have they been shutdown yet?

 

There are reports now that GPS data and other personal data was harvested by Parler app on smartphones and has been hacked and made available to law enforcement. I bet some will get pretty nervous...

 

Dear FBI -

ANY and ALL posts that I make on this site are done for entertainment purposes only. I have a sarcastic sense of humor and any and all posts
should be interpreted with that in mind. I do not take any posts or replies I make on this site seriously - Daniel Light




Just in case, best to be truthful.

 

No PHP code is revealed by pressing F12 on the client end, unless it is contained in an html comment. PHP is a server side scripting language. I have developed commercial PHP applications for the last decade.

 

If they aren't doing anything about it, then they absolutely should face the same consequences that Parler has faced.

 

The point I’m trying to make is that with PHP you don’t need to deal with DLL and compilation of the site. You can just copy entire directory. That’s the way I’m updating our company’s intranet page - I copy entire directory to a test server, make the changes, and then replace original folder contents with the new one. The change happens in an instant. Considering that there are tons of web hosts out there, copying the website to a new server could theoretically take 5-10 minutes.
With .NET it’s a bit more difficult because you might have to recompile DLL files to reflect some routing changes, like database connection strings.

So, in simple terms - the fact that Parler went offline is a good indication of the quality of web developers they have on staff.

 

Yep - PHP, or C# and Visual Basic.NET, are server side languages and unless you can access the root directory of the website there is no way for an outsider to access that code.

 

"Web developers" seems a little generous. After looking at some of the vulnerabilities (bear in mind, I'm a mobile and desktop app dev, not web/backend), these are some serious rookie mistakes. Not authenticating and authorizing access to private posts? That's the kind of stuff that gets companies sued.

 

I've done both C# and Java server side. Not sure it has to be PHP, and yeah no one sees server side, but I don't think any of this is a coding issue. If the server code has security flaws, it is certainly possible, but I would need to know more, but there are a number of apps out for this scraping.

 

I put a similar statement in my email signature line when I was going through my divorce. Luckily, I don't have a hair trigger temper so most of what I put in writing was benign. But, as you stated, just in case.

 

My recommendation is the same as I have made to Twitter users. If you don't like it, don't use it.

 

When did they ban Antifa and BLM, when did they cut Kamala Harris for advocating support for the anarchist and insurrection. And Parler was cutting calls for violence it discovered but it was happening of Facebook and Twitter.

 

My comment isn’t as much about security as it is about the fact that a company like Parler with millions of users allowed itself to be taken offline. If I was their CEO I’d tell the team of web developers that no one goes home till the site is up. Each second the site is down the company loses money. A quick Google search for “web host” yield millions of result, so finding a host inside or outside of the US is just not difficult and the entire platform could be moved in a couple hours.
Parler was a good idea, but when you have incompetent leadership combined with seemingly incompetent development team you get destroyed at the first instance of running into a major problem. Everything that happened to the platform was totally preventable and being proactive wouldn’t break their bank.
Stupidity.

 

Off topic.
How difficult is Java? I’ve heard it’s like one of the most difficult popular programming languages out there.
I juggle between C# and PHP these weeks due to a project that I’m working on, and I must say this - in-memory data tables are a heck of a lot easier to work with in c# than in PHP. In C# you can use SQL syntax to query a data table, while in PHP you have to deal with arrays within arrays (even more arrays if table is really complex), and if you need to alter any value you need to find the right array within that array, rebuild it and then replace that array within the primary array - absolute mess, something that can be done with 1 line of code in C# requires quite a bit more in PHP.

 

Like I said, they should suffer the same fate.

Amazon found 90+ examples where they didn't, which meant they violated Amazon's TOS.

 

C# and Java dev here: if you can write C#, you can write Java. They're very similar.

 

I understand why Parler was taken down, I imagine it is temporary.

 

In C# one has the entity framework or ado for db access, in java it is odbc:jdbc as the framework. Java is very little different than c#. For difficulty, I found scala very difficult. I don't know your business domain, so I can't say too much about your difficulty with php.