I talked about Parler being scraped for data yesterday. Today, here’s the details of how.
Per Wired, there were rumors on Reddit about how it happened. Turns out, it was NOT a misuse of two factor authentication. Instead, the company just lacked the basic security measures needed.
The technical details – an insecure direct object reference. A hacker can just guess the pattern the application uses to access data. Posts on Parler were in simple chronological order. Add one to the URL, you get the next post. No authentication, and no rate limiting to stop people getting too much.
So write a simple script, and you can get everything.
The company also didn’t scrub metadata from images and videos. So, the archived content includes users detailed locations, like GPS coordinates for their homes.
Here’s the best quote – “It’s gross incompetence. They marketed themselves as a private, secure, unmoderated platform, and instead it’s comedy hour.”
Why do we care?
I should scream. This is why there is money to be made in data management. They desperately needed someone to advise them on how to manage customer’s data securely. Build that in from the beginning, you win. Ignore it, you can fail spectacularly.
Sell services to do this. Not just a bunch of products, but the advice to make sure this doesn’t happen to your clients.