Well, because of that access, it gave them access to the behind the login box API that is used to deliver content -- ALL CONTENT (parleys, video, images, user profiles, user information, etc) --. But what it also did was revealed which USERS had "Administration" rights, "Moderation" rights.
Well, then what happened, those user accounts that had Administration rights to the entire platform... The hackers, internet warriors, call it what you will, was able to use the forgot password link to change the password. Why? Because Twilio was no longer authenticating emails. This meant, they'd get directly to the reset password screen of that Administration user."
I'm not from the US, but as an outsider, this leaves a really bad taste with how Twilio handled the situation AS A BUSINESS.
I wouldn't blame Twilio. It's entirely Parler's fault they allowed an unvalidated account to successfully register and log in.
Of course, it's also entirely the intruder's fault they exploited the wide open security hole.
Either way, this feels like something that will end in a lawsuit.
---
With regards to reports of cyber security issues Parler experienced and have been attributed to Twilio, our security team investigated the claims and found no evidence indicating their security issues were related to Twilio or our products. Per our Website [0], Twilio has not issued any press releases pertaining to or referencing Parler.
Furthermore, Parler was using Twilio to send out identity verification codes for new downloads or password resets. Once a user was verified, security protocols were independently handled by Parler and did not involve Twilio or its products. On Friday, January 8th, we sent Parler a letter informing them they were in violation of our Acceptable Use Policy [1] and notifying them that we would suspend their account if they did not make efforts to remediate multiple calls for violence on their platform. Shortly after receiving our letter, Parler informed us they had already turned off their integration with Twilio.
Any cyber security issues experienced by Parler were completely unrelated to Twilio or any of its products.
I know that not all press statements are going to be on the website.
From the perspective of any company using a service like twilio (i.e., not just Parler and this specific set of events), would there not be some sort of failsafe in case something just like this were to happen? Or would this kind of thing be so nearly inconceivable that you wouldn't protect against it?
* Fail and essentially have downtime on the features using the API
* Succeed and essentially have no authentication for that time but no downtime
Parler took the second approach. Platforms that value security would take the first approach.
Can someone explain what does this mean?
That seems to be the consensus.
Twilio as a B2B doesn't gain a lot from being a "woke" company and following the trend of lynching Parler, on the contrary this can and will scream how Twilio can put your whole platform down overnight..
I wonder when are we going to see a legal discussion if / when internet access is going to become a basic human right? Just like electricity became ubiquitous, I expect internet access (email, payment processing, etc) to also become a right.
Is electricity a right?
I'm not suggesting that the deplorable speech was mere harmless fantasising, as it seldom is, on a long-enough timeline. Just that this justification is manifestly no longer tenable.
Something something free market.
Yeah most of these services are doing that to avoid being associated with Parler and these Trump movements. But it has an anti-democratic feel to it.
Considering they make up an enormous percentage of the population, I'm not sure that's a sound strategic move.
So, if the sum total of Parler was 70 Terabytes, as claimed... the transfer time would be 38 hours, if it was hosted on one instance... but it obviously wasn't. It was more likely only a matter of minutes.
This shows a new type of cloud hosting vulnerability. Your entire corporations infrastructure could be mirrored faster than you could notice.
and YOU are paying for the bandwidth too :-)
This is actually fucking terrifying.
- Nation states that manage to infiltrate a few spies into Amazon or Google could "just" copy the backups of the database without anyone being the wiser.
- My favourite mission ever from the "Shadowrun" games: Step 1 was a mission to alter the backups of some main database (stored at some 3rd party) to include additional admin credentials. Step 2 was to "clumsily" attack the main target and not-quite-hack the main system so that they would restore from backup just to be sure, thereby importing the actual backdoor.
Everybody in the last few days was talking about Parler -- they got more exposure than ever in their life. The takedown from AWS was announced a few days before, so more users could register. Parler was running a "Verified Parler citizen" (wat?) campaign, to gather more personal data. And now, hackers conveniently exposed everything. Hackers are unpredictable, you know.
I am not defending the Parler audience; the honeypot was elegant, but is it ethical?
As a privacy-conscious person, the thought of uploading the front and back of a driver's license + selfie, or passport just to get an "I'm not a bot" badge is ridiculous.
Based on this twitter thread from Nov 2020 they may not have been hiring the best developers: https://twitter.com/davetroy/status/1327253991936454663
[1] https://edition.cnn.com/2020/11/15/media/rebekah-mercer-parl...
It may have ended up as one intentionally anyway.
Build your own is the device, keep your equipment on your own premises, make sure not to have single points of failure - that implies you need to have a backup access provider just in case your internet connection gets cancelled. Don't rely on electronic payment processors, you can use them but make sure to have a backup. Don't rely on a single bank, have multiple accounts, preferably in more than one country.
It is a sad thing that it has to come to this but I think we'll eventually end up with politicised service institutions which cater to "progressives", others which cater to "conservatives". They won't state this directly but it will be known that a conservative builder is better of at this bank and that insurance company, he'll prefer to buy this coffee and that brand of razor, etc. A shame, really, the more divided society becomes, the harder it will be to find a common cause when such is needed, e.g. in case of a national emergency like an epidemic.
You have freedom of speech and the government cannot arrest you from saying things on the internet. However, organizing a raid on the government will get you in trouble, and never forget that nobody is obligated to give you a platform.
This sums the whole thing up pretty neatly.
I'm so tired of this. The reason people are getting banned from these platforms and services isn't because of just run of the mill political views. They're getting banned because they are hosting content calling for the violent overthrow of the US government. Apple didn't ban Parler from the app store for their attitude towards capital gains tax, they banned them because they found
> direct threats of violence and calls to incite lawless action
The reason people are being banned now isn't some sudden decision by publicly traded companies to try and endorse a left wing agenda. It's because there's been a massive uptick in the number of people advocating violence as a means of advancing their political agenda.
People keep acting as if these actions are being taken in the context of the 2008 election where everyone was pretty much civil and there was no real question of violence. In that context, yes, it's an outrage that liberties are being crushed. But that's not the context of today. Today we have people openly talking about murdering democratic (and somewhat bizarrely, insufficiently local republican) politicians, and credible evidence they plan to carry out those attacks.
The issue isn't that those people are being censored, the issue is they exist in the first place.
What was once extreme and crazy is now the new normal.
And we see that every single day on Facebook and Twitter. Its against their terms of service, just like its against Parler's.
As a single entity, I don't really give a shit about Parler. What I do give a shit about is treating everyone fairly. If Parler goes because it has a shitton of users and can't swiftly police all content, then Facebook needs to go because they have a child pornography problem.
Listen to this podcast if you want to learn just how widespread the issue is: https://samharris.org/podcasts/213-worst-epidemic/
Funny, I thought the dominant political narrative was that terrorism is bad.
I can't validate anything else in this twitter post. The administrator accounts part all seems fake, unless anyone has found the rest of the content or has a better source?
Previous discussion deeming its fake here https://news.ycombinator.com/item?id=25725268
Almost none of it makes any sense; instead it seems like people just crawled parler's public API and saved the responses into a big archive ("the leak"). The only "exploit" I see could be that parler uses incrementing IDs for posts/content allowing easy enumeration crawling.
Seems jason scott's archive team, using existing tooling they built for scraping, scraped parler before it went down.
Unless the software skipped authentication entirely when this service was unavailable, which I find hard to imagine. But that seems to be what is claimed right now.
An unlikely, but more plausible option to me would be that after removal of the Parler account, someone else was able to register the same account and gain access that way. But that doesn't fit the description all that well, and I'd also expect that this would not work at all if the authentication service is not very careless.
For example here is how something like that might break:
/auth
-> returns {"success": true} and 200 on success
-> normally returns {"success": false, "error": "BLAHLBAH"} and 200 on failure
after your account is disabled /auth starts returning empty json: {} with a 500 error code
oops. now all the requests are incorrectly marked as success. i know this happens because i've seen similar things happen in real life.
the error could also be more obvious and the code just fails open. someone has a try/catch and returns true either because of an accidental mistake or because they don't want users to be locked out when the provider is down.
Failing open would be a catastrophic mistake either way. "The auth provider is down, just let everyone in!"
It's entirely possible that Parler stored all of their data in S3, with metadata documents, and someone managed to find some creds in the app to list the object storage. These practices and this kind of vulnerability are both common.
That so called technical person that knew much more than the poster apparently was misinformed.
1. Somebody reverse engineered the iOS app, which allowed them to access Parler's API and enumerate all of the content on the app
2. The Twilio shutdown affected SMS verification for new account registration, meaning people were now able to programmatically create many new user accounts which they could combine with #1 to scrape all the data without being rate limited
They're claiming that the "we're not providing services to Parler any more" public statements of Twilio unintentionally provided the information necessary to perform the hacks.
I thought password reset flow is initiated from the email link not from "Forgot password" link and just paused till email link is clicked.
Al they got was just published data that they easily scraped.
>Also, a lot of posts were deleted by Parler members after the riots on the 6th. Turned out... Parler didn't actually delete anything.. just set a bit as deleted.
The perils of soft/logical delete instead of hard/real deletion.
I'll believe it when after private convos are leaked.
https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_par...
One 'hack' enumerating content
One 'hack' mass producing accounts to spam with
Looking at this dump, it appears to just be URLS. If the site doesn't exist anymore than the URLs point to nothing.
What's actually exposed? What am I missing here?