Back to BlogSecurity Analysis of the Parler Data Dump
Summary
It is important to note that high-level data leaks tend to come with large amounts of misinformation, especially when there’s great interest from the outside. In this case, it is difficult to ascertain if there was a proper ‘hack’ that took place or if Parler was inherently insecure.
In this case, Parler had a few failures, some long-standing and others caused by poor engineering – that culminated in a number of potential exposures and a full scrape of attachments on Parler, a social networking company. These types of attacks can occur against all organizations that expose themselves to the internet. In no case has there been any proof that Parler itself was “hacked” but rather was inherently insecure. It appears that their weak security was leveraged by offensive parties across the world prior to shutting down.
This is also the first large-scale hacktivism movement we’ve seen in a while, while 2020 saw a few leaks (BlueLeaks and DDoSecrets), this is a very fast and significant entry into 2021. These incursions can be broad and generally expose vast amounts of data that captures the public’s attention for a prolonged period of time as information is slowly divulged.
What Happened
Parler improperly allowed mass collection of archived data (images, videos, information) that were posted onto their service. This was due to an unprotected API call that was sequentially numbered, therefore allowing any attacker to iterate continuously over the endpoint and take all information available – which is reaching upwards of 60TB now with over one million videos alone.
By having no security protections on who can iterate these endpoints, nor any rate-limiting protections, the internet was generally able to capture all data available. This culminated in the gathering over 60TB of data with massive amounts of metadata, well over 1,400 unique types of data connected to the accessed data ranging from geolocation to the type of phone used.
For example, if you have a corporate website and you store your PDFs numbered at http://www.acme.com/pdfs/1.pdf, that would allow an attacker to then guess the correct URL structure for 2.pdf, 3.pdf, and so on and so forth until they are detected and stopped, or they divulge all the information that they desire. In the case of Parler, their URLs looked like https://par(dot)pw/v1/photo?id= and the ID could be sequentially increased to gather information from the API without direct knowledge.
From a defensive security perspective, this is a failure of one of the Top 10 of OWASP which defines web application security best practices. Specifically, this is an Insecure Direct Object Reference (IDOR) attack which enumerates across all data available.
Additionally, when Twilio, a third-party service for user authentication pulled out, it appears users were able to create Parler accounts without having to verify their email.
How Does Blumira Detect These Attacks?
Blumira detects these types of attacks by looking for anomalous behavior in how one or many IPs are connecting to a host and attempting to access unique paths on the host. Detection through pure rate limiting, or, depending on services that can cancel your service can leave you insecure or shut down, as seen in recent news.
Depending on services for two-factor authentication (2FA) and email verification may also result in potential risk, as seen when Twilio cancelled their support. Additionally, changes in authentication due to failing open changes, (e.g., we can no longer access 2FA, therefore all valid authentications are allowed), is a detectable and useful recurring Scheduled Report pattern for organizations to review consistently. Have your Okta authentications changed broadly over time due to a change in service? Blumira’s platform provides scheduled reporting to help surface these security trends for organizations.
Attacks like the one performed against Parler is what would be considered a failure at the application security level, as their service was engineered improperly and not tested for security. Blumira considers detections like these to be useful not only from a “stop the attacker” perspective, but also as teaching tools for organization’s development teams.