Hack of the far-right social network Gab, exposing public posts, private posts, user profiles, passwords, DMs, and chat messages by JaXpArO (they/them) & My Little Anonymous Revival Project.
- https://ddosecrets.com/wiki/GabLeaks (limited distribution)
Explanation of the Hack
An ActiveRecord SQL injection vulnerability (using the
find_by_sql method instead of parametrized queries) was present in the site's code at the time of the hack.
Gab first tried to mitigate the exploit with Cloudflare WAF, but the hacker was able to bypass this, go back and collect more data.
After the vulnerability was fixed, the hacker was still able to use unrevoked OAuth tokens to hijack and post messages from the CEO's account.
- Off the Hook: Emma Best and Xan North talk to the 2600 podcast on 10/03/2021
- Ars Technica: Rookie coding mistake prior to Gab hack came from site’s CTO