The Parler Hack: What Did Scraped Parler Data Reveal
The social network Parler has courted controversy since its inception. A self-described bastion of free speech, the site has made waves for refusing to censor even the most extremist ideology, violent threats and fake news – making it a magnet for right-wing groups banned from sites like Twitter for hate speech. That includes a number of people who marched on and invaded the Capitol Building in Washington D.C. on January 6, 2021.
But last week, Parler made waves for very different reasons, when cyber-vigilantes released 70TB of comments, videos and videos posted on the site during the Capitol Hill incident and in the run-up to the attack.
What Was the Parler Hack About?
The heist was pulled off by a group of hackers led by someone calling themselves @donk_enby on Twitter. This team was horrified by the events at Capitol Hill and wanted to make sure that posts leading back to the perpetrators weren’t lost before they could be investigated.
“Hacktivists” crawled through every Parler post ever made and downloaded the content for posterity. Not only that, they uploaded all the materials they had collected from the period leading up to, during, and immediately after the storming of the Capitol building to the Internet Archive, making them publicly available. The idea was to give others an opportunity to start analyzing and cataloging evidence and identifying the perpetrators.
For the hackers, this came in the nick of time. Both Apple and Google had already removed the Parler app from their app stores on the basis that it facilitated the ongoing incitement of violence. Twilio, which provides two-factor authentication, had just cut ties with Parler. Right after the scrape was complete, Amazon Web Services switched off hosting for the Parler platform, effectively shutting it down until it can find an alternative hosting provider.
How was Parler Hacked?
@donk_enby posted the entire code of the download tool they used to perform the hack, so we do actually know exactly how they did it.
The group created a program that automatically scraped and downloaded all Parler posts. That includes ones that the authors had tried to delete. It did this by exploiting a pretty basic security vulnerability.
Whenever you post on a social media network, your post will have its own URL. That’s how you link to a specific Tweet or Facebook post, for example. Most of the major platforms randomly generate a URL. Parler, on the other hand, just numbers them chronologically. This means that you can predict every single URL that has been generated and stored on the site. All you need is the URL of one post and you’d add a 1 to get the next post that was published or subtract 1 to get the one before. And so on and so forth.
What this also means is that if you know how to code, you could write a straightforward script that jumps through all these post URLs, from the first-ever published to the last, and automatically download all their content. That includes every text comment, every photo, every video… in the exact order they were posted, plus all the metadata that goes with them. And that’s exactly what @donk_enby and their team did.
To make things even easier, there’s no Parler verification required to view public posts. Parler doesn’t do rate limiting, which stops a single IP address from looking up a maximum amount of URLs in a short period of time. Neither does it authenticate developer access to APIs that give access to large amounts of posts in one go. All of which made a Parler hack far too easy. In fact, barely any “hacking” was required.
Parler Verification Process and the Privacy Breach Issue
Some Parler account holders were particularly nervous about this privacy breach because of the Parler verification process. This asks people that want to be listed as “Verified Citizens” to upload a copy of their official ID, for example, a driving license or passport scan, in order to prove that they are a real person and not a bot.
Understandably, users who had gone this extra step were worried that copies of their ID had fallen into the hands of hackers and subsequently been made public. If that was the case, it would be a major security and privacy breach, potentially exposing them to identity theft or fraud.
According to @donk_enby, though, the program was only designed to scrape public posts. Anything stored out of view by Parler, including sensitive data, passwords, ID scans, and the like, would not have been picked up. Unless Parler account users had posted photos of their ID (or other personally identifying information) themselves, the Parler hack would not have picked them up.
So Some Parler Posts Got Leaked. What’s the Big Deal?
Well, there are three key reasons that the Parler hack is worrying its users.
First of all, the whole point of the hack was to capture valuable information surrounding the storming of Capitol Hill. The hackers were hoping to preserve any incriminating evidence, for example, materials that indicated who was involved in conspiring to commit crimes, who was involved in the illegal activity (or in planning and directing it), and/or examples of people inciting violence.
This means that anyone that publicly encouraged the invasion of the building, called for violence to be used against state officials, or shared footage of them vandalizing the inside of the Capitol could be heading for severe legal consequences.
You might be thinking: sure, but they deserve it for breaking the law. However, it could also cause real trouble for people who had signed up for a Parler account out of curiosity and, say, commented on something that is now connected to a criminal investigation. Or for any journalists and researchers who were trying to track what was happening on the day of the attack, but whose attempts to elicit information from it has tarred them with the same brush.
Secondly, the scrape also picked up deleted posts. This means that Parler was keeping hold of data even after their users thought they had got rid of it. That’s pretty damning for Parler as it tries to regain the trust of its 10 million users, who will have serious questions about its attitude to user privacy. It also means there could be all kinds of embarrassing stuff leaked now – including material that people had posted and then changed their minds about, or that they had shared accidentally.
Thirdly, even though the Parler hack didn’t pick up any individual IDs or sensitive information stored by the platform, you can work out an awful lot from the geolocation and metadata attached to the photos, videos, and other media downloaded from the site.
In fact, one data visualization specialist called Kyle McDonald used the detailed location data from 68,000 Parler videos to create a GPS map of the U.S, showing where they had all been uploaded. That kind of data could easily be traced back to individual posters – even those that thought they were using the site anonymously.
What to Do if You Have a Parler Account
Well, the good news is that there aren’t any hacked Parler accounts per se. Your passwords, personal information, credit card numbers, and so on have not been leaked. However, given that the privacy apparatus is so shoddy and Twilio has stopped offering any semblance of security, if Parler ever reappears, you may want to consider using an encrypted password manager to generate a stronger password. Or simply delete your Parler account.
You also need to be prepared for the fact that anything you thought you were posting solely for the eyes of your Parler network is now freely available for the world to see. If you weren’t involved in anything illegal (or encouraging others to break the law), you should be in the clear.
While you can’t do much about the Parler hack now, you can – and should – take it as a warning for the future to be extremely cautious about what you share online and who you trust with your private data. It’s best to adopt the view that anything you post or share online could one day be exposed. If you’re going to insist on your right to free speech at all costs, you’d better be prepared to stand by what you say.