Gab: Difference between revisions

From Enlace Hacktivista
Jump to navigation Jump to search
(Add more media coverage)
(Add explanation)
 
Line 1: Line 1:
Hack of the far-right social network Gab, exposing public posts, private posts, user profiles, passwords, DMs, and chat messages.
Hack of the far-right social network Gab, exposing public posts, private posts, user profiles, passwords, DMs, and chat messages by JaXpArO (they/them) & My Little Anonymous Revival Project.


* https://ddosecrets.com/wiki/GabLeaks (limited distribution)
* https://ddosecrets.com/wiki/GabLeaks (limited distribution)
== Explanation of the Hack ==
An ActiveRecord SQL injection vulnerability (using the <code>find_by_sql</code> method instead of parametrized queries) was present in the site's code at the time of the hack.
Gab first tried to mitigate the exploit with Cloudflare WAF, but the hacker was able to bypass this, go back and collect more data.
After the vulnerability was fixed, the hacker was still able to use unrevoked OAuth tokens to hijack and post messages from the CEO's account.
=== More Details ===
* [https://www.2600.com/hook/10-03-2021 Off the Hook: Emma Best and Xan North talk to the 2600 podcast on 10/03/2021]
* [https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/ Ars Technica: Rookie coding mistake prior to Gab hack came from site’s CTO]
== Media Coverage ==
* [https://www.wired.com/story/gab-hack-data-breach-ddosecrets/ Wired: Far-Right Platform Gab Has Been Hacked—Including Private Data]
* [https://www.wired.com/story/gab-hack-data-breach-ddosecrets/ Wired: Far-Right Platform Gab Has Been Hacked—Including Private Data]
* [https://theintercept.com/2021/03/15/gab-hack-donald-trump-parler-extremists/ The Intercept: Inside Gab, the Online Safe Space for Far-Right Extremists]
* [https://theintercept.com/2021/03/15/gab-hack-donald-trump-parler-extremists/ The Intercept: Inside Gab, the Online Safe Space for Far-Right Extremists]
* [https://www.theguardian.com/world/2021/mar/11/gab-hack-neo-nazis-qanon-conspiracy-theories The Guardian: Hack gives unprecedented look into platform used by far right]
* [https://www.theguardian.com/world/2021/mar/11/gab-hack-neo-nazis-qanon-conspiracy-theories The Guardian: Hack gives unprecedented look into platform used by far right]
* [https://arstechnica.com/gadgets/2021/03/rookie-coding-mistake-prior-to-gab-hack-came-from-sites-cto/ Ars Technica: Rookie coding mistake prior to Gab hack came from site’s CTO]


[[Category:Stub pages]]
 
[[Category:Hacks]]
[[Category:Hacks]]

Latest revision as of 09:25, 23 December 2021

Hack of the far-right social network Gab, exposing public posts, private posts, user profiles, passwords, DMs, and chat messages by JaXpArO (they/them) & My Little Anonymous Revival Project.

Explanation of the Hack

An ActiveRecord SQL injection vulnerability (using the find_by_sql method instead of parametrized queries) was present in the site's code at the time of the hack.

Gab first tried to mitigate the exploit with Cloudflare WAF, but the hacker was able to bypass this, go back and collect more data.

After the vulnerability was fixed, the hacker was still able to use unrevoked OAuth tokens to hijack and post messages from the CEO's account.

More Details

Media Coverage