Incident Details

Incident: Parler Social Media Platform Data Breach and Security Failure

Published Date: 2021-01-12

Postmortem Analysis
Timeline	1. The software failure incident involving Parler happened last week before the article was published on January 12, 2021 [109594].
System	1. Parler's architecture 2. Lack of basic security measures 3. Insecure direct object reference (IDOR) issue 4. Lack of authentication for API access 5. Failure to scrub geolocation metadata from images and videos [109594]
Responsible Organization	1. Parler's lack of basic security measures and architecture flaws led to the software failure incident [109594].
Impacted Organization	1. Parler - The social media platform Parler was impacted by the software failure incident as it went offline after Amazon Web Services cut off hosting due to security vulnerabilities [109594].
Software Causes	1. Parler's architecture had a basic bug that allowed for easy downloading of all messages, photos, and videos, including sensitive geolocation data, due to a lack of basic security measures like insecure direct object reference (IDOR) and lack of authentication for accessing public contents [109594].
Non-software Causes	1. Lack of basic security measures in Parler's architecture, such as insecure direct object reference (IDOR) vulnerability, lack of authentication for API access, and absence of rate limiting [109594].
Impacts	1. Parler went offline after Amazon Web Services cut off hosting for the social media outlet, impacting its availability and accessibility [109594]. 2. Hackers were able to download and archive a significant portion of Parler's public contents, including potentially incriminating evidence related to the Capitol raid [109594]. 3. The software failure incident exposed Parler users' detailed locations by failing to scrub geolocation metadata from images and videos before they were posted, compromising their privacy and security [109594]. 4. Parler faced repercussions such as being cut off from Amazon Web Services, the Google Play Store, and the Apple App Store, affecting its ability to operate and reach users [109594].
Preventions	1. Implementing proper authentication mechanisms and access controls to prevent unauthorized access to sensitive data [109594]. 2. Utilizing secure coding practices to prevent common vulnerabilities like insecure direct object references (IDOR) [109594]. 3. Regular security audits and testing to identify and address potential security flaws [109594]. 4. Enforcing rate limiting to prevent automated scraping of data [109594]. 5. Scrubbing geolocation metadata from images and videos before they are posted to protect user privacy [109594].
Fixes	1. Implement proper authentication mechanisms and access controls to prevent unauthorized access to sensitive data [109594]. 2. Utilize secure coding practices to prevent common vulnerabilities like insecure direct object references (IDOR) [109594]. 3. Regularly conduct security audits and assessments to identify and address potential security weaknesses in the software [109594]. 4. Scrub geolocation metadata from images and videos before they are posted to protect user privacy and prevent exposure of sensitive information [109594]. 5. Randomize URLs of posts to prevent easy enumeration and scraping of data [109594].
References	1. The social media platform Parler itself [109594] 2. Amazon Web Services [109594] 3. Hackers involved in downloading and archiving Parler data [109594] 4. @donk_enby, a pseudonymous hacker [109594] 5. Reddit and social media platforms [109594] 6. Kenneth White, codirector of the Open Crypto Audit Project [109594] 7. Josh Rickard, a security engineer for security firm Swimlane [109594] 8. Twilio, the SMS provider for Parler [109594] 9. Data artist Kyle McDonald [109594] 10. Company investor Dan Bongino [109594]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to Parler's security vulnerabilities and data breach can be considered as having happened again within the same organization. The article highlights how Parler's lack of basic security measures, such as insecure direct object references and the absence of authentication for accessing public content, led to a massive data scraping incident [109594]. This incident showcases a recurring pattern of security failures within Parler's software architecture. (b) The software failure incident at Parler can also be seen as a cautionary tale for other organizations regarding the importance of robust security measures. The article contrasts Parler's lax security practices with platforms like Twitter, which employ better security protocols to protect user data [109594]. This serves as a reminder for multiple organizations to prioritize cybersecurity and implement necessary safeguards to prevent similar data breaches and vulnerabilities.
Phase (Design/Operation)	design, operation	(a) The software failure incident in the Parler case can be attributed to design flaws in the system. The article highlights that Parler's architecture had a very basic bug that made it easy for hackers to download and archive the site's data. The lack of basic security measures, such as insecure direct object reference (IDOR) and the ordering of posts by number in URLs, allowed hackers to easily access and download all messages, photos, and videos posted on the site [109594]. (b) The software failure incident can also be linked to operational issues. Parler's lack of proper authentication for an API that offered access to all its public contents and the absence of rate limiting to prevent rapid access to posts contributed to the ease with which hackers could scrape the site's data. Additionally, the failure to scrub geolocation metadata from images and videos before they were posted led to the exposure of users' detailed locations, revealing GPS coordinates of many homes [109594].
Boundary (Internal/External)	within_system	(a) The software failure incident with Parler was primarily within the system. The failure was attributed to a very basic bug in Parler's architecture that allowed hackers to easily download sensitive data from the platform. The lack of basic security measures, such as insecure direct object reference (IDOR) and the absence of authentication for accessing public content, were key factors contributing to the incident [109594].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in the case of Parler was primarily due to non-human actions, specifically a basic bug in Parler's architecture that allowed for the easy scraping and downloading of the site's data. The lack of basic security measures, such as insecure direct object reference (IDOR) and the ordering of posts by number in URLs, made it possible for hackers to access and download vast amounts of data without human intervention [109594]. (b) However, human actions also played a role in the failure as the security vulnerabilities in Parler's system were a result of oversight, laziness, and lack of proper planning by the company. The failure to implement proper authentication, rate limiting, and API restrictions were attributed to the company not anticipating their growth and not designing the system properly [109594].
Dimension (Hardware/Software)	software	(a) The software failure incident related to hardware: - The software failure incident involving Parler was not directly attributed to hardware issues but rather to a fundamental flaw in the software architecture of the platform [109594]. (b) The software failure incident related to software: - The software failure incident with Parler was primarily due to software-related issues, specifically a basic bug in Parler's architecture that allowed for the easy downloading of sensitive data from the platform [109594].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident related to Parler was malicious in nature. The incident involved a group of hackers exploiting a security vulnerability in Parler's architecture to download and archive sensitive data from the platform, including evidence of individuals involved in the Capitol raid [109594]. The hackers were able to access and download vast amounts of data due to Parler's lack of basic security measures, such as insecure direct object references and the absence of authentication requirements for accessing public posts [109594]. Additionally, the incident highlighted the gross incompetence of Parler in terms of security practices, as the platform failed to scrub geolocation metadata from images and videos before they were posted, potentially revealing users' detailed locations [109594].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident: The software failure incident involving Parler was primarily due to poor decisions made by the company. Parler's lack of basic security measures, such as authentication for accessing public content and the use of predictable URLs for posts, contributed to the vulnerability exploited by hackers. The decision to not implement proper security protocols, such as rate limiting and authentication, led to the easy scraping of sensitive data from the platform [109594].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident related to development incompetence is evident in the case of Parler. The article highlights various security flaws in Parler's architecture that allowed hackers to easily download and archive the site's data. These flaws included a basic bug in Parler's architecture that made it easy to access sensitive geolocation data, lack of basic security measures such as insecure direct object reference (IDOR), and the absence of authentication for an API that offered access to all public contents [109594]. (b) The software failure incident can also be attributed to accidental factors. For instance, the article mentions that the hackers did not access all Parler information, including private data like images of driver's licenses, and that rumors about hackers gaining access to more private data were debunked. Additionally, the article notes that while Twilio dropped Parler as a customer, the result was only that hackers could bypass two-factor authentication if they knew an account's password or could mass-generate new accounts, not gain access to existing accounts [109594].
Duration	temporary	The software failure incident involving Parler can be categorized as a temporary failure. This temporary failure was due to contributing factors introduced by certain circumstances, specifically the lack of basic security measures that allowed hackers to easily scrape and download the site's data [109594]. The incident led to the site going offline after Amazon Web Services cut off hosting, but there are plans for Parler to return online after addressing the security issues [109594].
Behaviour	omission, value, other	(a) crash: The software failure incident in the article is not related to a crash where the system loses state and does not perform any of its intended functions. The failure was due to a security vulnerability that allowed unauthorized access to Parler's data [109594]. (b) omission: The software failure incident can be related to omission as Parler's security architecture omitted basic security measures that would have prevented the unauthorized scraping of the site's data. This omission allowed hackers to easily download every message, photo, and video posted on the platform [109594]. (c) timing: The software failure incident is not related to timing issues where the system performs its intended functions but at the wrong time. The failure was due to a lack of proper security measures in place [109594]. (d) value: The software failure incident is related to a failure in the system performing its intended functions incorrectly. Parler's security vulnerabilities allowed hackers to access and download sensitive data from the platform, including geolocation data and other incriminating evidence [109594]. (e) byzantine: The software failure incident is not related to a byzantine failure where the system behaves erroneously with inconsistent responses and interactions. The failure was primarily due to a lack of proper security measures and vulnerabilities in Parler's architecture [109594]. (f) other: The behavior of the software failure incident can be categorized as a failure due to inadequate security measures and vulnerabilities in the system that allowed unauthorized access to sensitive data. The incident highlights the importance of implementing robust security protocols to protect user data and prevent unauthorized scraping of platform content [109594].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, theoretical_consequence	(d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving Parler resulted in a significant impact on people's data security and privacy. Due to a basic bug in Parler's architecture, hackers were able to easily download and archive a large amount of Parler's public contents, including sensitive information such as geolocation data, posts, photos, and videos [109594]. This breach of security led to the exposure of potentially incriminating evidence related to the Capitol raid and the identification of individuals involved in the insurrectionist activities. Additionally, the lack of basic security measures, such as authentication requirements and rate limiting, allowed hackers to scrape the site's data and access it in an unauthorized manner. The incident highlighted serious flaws in Parler's security architecture, leading to the unauthorized access and potential misuse of users' data.
Domain	information, finance, government	(a) The failed system in this incident was related to the information industry, specifically the social media platform Parler [109594]. Parler was used as an outlet for free speech but became a haven for disinformation, hate speech, and calls for violence. The software failure incident involved a basic bug in Parler's architecture that allowed hackers to easily download sensitive geolocation data, leading to the platform going offline after Amazon Web Services cut off hosting [109594]. (h) The incident also has implications for the finance industry as it involves security vulnerabilities that could potentially expose user data and compromise security measures. Parler's lack of basic security measures and the ability for hackers to access and download data in a straightforward manner highlight significant security flaws that could impact financial transactions and data protection [109594]. (l) Additionally, the software failure incident is relevant to the government sector as Parler was used as a tool to plan and coordinate an insurrectionist mob's invasion of the US Capitol building. The incident raised concerns about the platform's security vulnerabilities and its role in facilitating illegal activities, prompting actions such as Amazon Web Services cutting off hosting for Parler [109594].

Sources

An Absurdly Basic Bug Let Anyone Grab All of Parler's Data - WIRED - Published on: 2021-01-12
Article ID: 109594

Back to List