on

Everything we know about the security gaps that led to this week’s Parler hack

Parler, the far-right social media platform that has garnered headlines after being used by Trump supporters to organise the now-infamous march on the US Capitol building, was taken down earlier this week. This was due to a combined effort from Android and Apple, both of which removed the app from their respective app stores, and Amazon, which stopped supporting its website on its AWS cloud platform – though not before one hacker was able to extract 70TB worth of data from the app, including user locations, administrator information, messages, and videos.

Twitter user @donk_enby has taken ownership of the data theft, claiming that she has, at the time of writing, captured and archived 99.9% of Parler’s content spanning the Capitol riot which began on 6th January. Of that content, @donk_enby claims there are 1.1 million “original, unprocessed, raw” video URLs, complete with associated metadata. The hacker has since alleged that this metadata included exact locations of where the videos were filmed, among other personal information.

By all accounts, @donk_enby is a hacker with a conscience, with many already speculating that this stolen information could be made public so that US authorities can use it to identify and detain rioters who broke the law during the Capitol breach.

While on this occasion we are witnessing what some may call an ‘ethical hack’ in a bid to bring right-wing lawbreakers to justice, it is concerning to see just how easily a major platform such as Parler was breached and is troubling to consider how data of that depth and volume could be used by less moral attackers in future; for example, in the image below, @donk_enby notes that the GPS position of one video includes precise coordinates in latitude and longitude in its metadata.

The ease with which @donk_enby accessed the data is also a cause for alarm. Speaking to CyberNews about the breach, data ethicist Ali Alkhatib claims that this wasn’t “hacking in a sense we think about state-sponsored hacking, involving phishing or active deception, or anything like that.” Instead, he notes, “there was a glaring gap in the security of the platform, and @donk_enby and a few others noticed it and used it.”

Demo Free Trial MSSP
Program