Gab, a far right-wing social networking site, was hacked for a second time. Their failure to remove OAuth2 bearer tokens provided easy access for the attackers.
Less than two weeks ago, far-right-wing social networking site, Gab, was breached. According to DDoSecrets, there were 70GB of public and private posts, user profiles, hashed passwords, DMs and plaintext passwords for groups collected. Over 700,000 messages between 15,000 users were included in the dataset, in plaintext format. Gab supposedly patched the problem, but missed a step. Earlier this week, the site was breached for the second time.
When Amazon removed Parler from its platform, Parler users flocked to Gab. Having been around since 2017, Gab had already been removed from the Google Play store for terms of service violations. In 2018, GoDaddy terminated its relationship with the site after one of its users criticized the Hebrew Immigrant Aid Society on the site before entering a Pittsburgh synagogue and killing 11 people. Gab has already had its share of uphill battles, even resorting to hosting its own website in order to stay active.
Given that history, you would think that some lessons in protecting the site and its users would have taken place. Apparently, however, Gab leaders did not get that memo. The first attack was initiated by SQL-injection, something that is consistently on the OWASP Top 10 known vulnerabilities that hackers continue to exploit because businesses haven’t patched the problem. After the first attack, Gab did apply the patch, but they failed to revoke OAuth2 bearer tokens, which resulted in Gab founder and CEO Andrew Torba having his account compromised for a second time. And Gab knew nothing about it until the attacker posted a message under Torba’s name.
OAuth2 bearer tokens are stored by browsers and mobile apps after a user has successfully logged into the site. It’s a unique ID to whatever device you are using. When the user goes back to the site, the site recognizes the device and allows them access.
Gab, of course, took the site down and removed the post, but it was archived here. Torba released a statement when the site came back up:
“The attacker who stole data from Gab harvested OAuth2 bearer tokens during their initial attack,” Torba wrote. “Though their ability to harvest new tokens was patched, we did not clear all tokens related to the original attack. By reusing these old tokens, the attacker was able to post 177 statuses in an 8-minute period today.”
Gab has a lot of issues to deal with here. They were breached by SQL-injection. They didn’t purge OAuth2 bearer tokens. They haven’t forced users to reset their passwords. They failed to know, or at least failed to report, the theft of OAuth2 bearer tokens. Given these errors, it’s also possible that other sensitive user data was obtained by the attacker and it just hasn’t been revealed yet.
This is yet another business which not only skimped on security and configuration, but didn’t make it right in their attempt to fix it. Instead, they left a door for the attackers to get back in and do who knows what kind of damage. Torba’s statement said that the attacker was able to post 177 statuses in an 8-minute period. What else were they able to do in that time? Threat actors use automation, too. It makes their success rate higher and earns them more data than they would get manually.
Gab made some big mistakes here. They can claim that they were targeted because of their user-base, but really, threat actors hack indiscriminately. Parler was breached with ease, so it stands to reason that Gab would be a similarly easy target, and it was. And when they missed a step in applying the fix, it was just as easy to get in a second time.
Be proactive. Tighten up your security, make sure it’s coded into all of your internal and external systems, apps, products and features. And should your company suffer an attack (which it likely will at some point in the business lifecycle), make sure the fix is implemented properly and incident response accurately cleans up the mess.