From Enlace Hacktivista
Jump to navigation Jump to search

Hack of the far-right social network Gab, exposing public posts, private posts, user profiles, passwords, DMs, and chat messages by JaXpArO (they/them) & My Little Anonymous Revival Project.

Explanation of the Hack

An ActiveRecord SQL injection vulnerability (using the find_by_sql method instead of parametrized queries) was present in the site's code at the time of the hack.

Gab first tried to mitigate the exploit with Cloudflare WAF, but the hacker was able to bypass this, go back and collect more data.

After the vulnerability was fixed, the hacker was still able to use unrevoked OAuth tokens to hijack and post messages from the CEO's account.

More Details

Media Coverage