![]() In 2017, Google removed the Gab app from the Play store for terms of service violations. Gab has been struggling to stay afloat for more than two years as it continues to provide a haven for hate speech and conspiracy theories. Marotto didn’t immediately respond to an email seeking comment for this post. Marotto declined to say if that vulnerability was the one hackers exploited to take over the site, but the bug’s introduction early this year and its removal so soon after the site compromise stoked speculation that it was indeed the one used in the hack. ![]() Advertisementįurther Reading Rookie coding mistake prior to Gab hack came from site’s CTOShortly after the first breach was discovered, someone at Gab patched a critical SQL-injection vulnerability that was introduced into the website code by site CTO Fosco Marotto. The theft of the tokens came as a surprise to many because they weren’t included in a trove of hacked Gab data posted by the Wikileaks-style site Distributed Denial of Secrets following the breach. Gab's failure to purge bearer tokens may have stemmed from unfamiliarity with the open source Mastodon code the site runs or an unwillingness to require users to go through the hassle of resetting OAuth2 bearer tokens. By reusing these old tokens, the attacker was able to post 177 statuses in an 8-minute period today.” “Though their ability to harvest new tokens was patched, we did not clear all tokens related to the original attack. “The attacker who stole data from Gab harvested OAuth2 bearer tokens during their initial attack,” Torba wrote. When the service was restored a few hours later, Torba posted a statement saying that Monday’s breach was the result of site administrators failing to revoke OAuth2 bearer tokens, which browsers and mobile apps store after a user has successfully logged in to a site. Gab quickly took the site offline and removed the post, but not before it was archived here.
0 Comments
Leave a Reply. |