"Twilio put out at midnight last night. In that Press Release, Twilio accidentally revealed which services Parler was using. Turns out it was all of the security authentications that were used to register a user. This allowed anyone to create a user, and not have to verify an email address, and immediately have a logged-on account.<p>Well, because of that access, it gave them access to the behind the login box API that is used to deliver content -- ALL CONTENT (parleys, video, images, user profiles, user information, etc) --. But what it also did was revealed which USERS had "Administration" rights, "Moderation" rights.<p>Well, then what happened, those user accounts that had Administration rights to the entire platform... The hackers, internet warriors, call it what you will, was able to use the forgot password link to change the password. Why? Because Twilio was no longer authenticating emails. This meant, they'd get directly to the reset password screen of that Administration user."<p>I'm not from the US, but as an outsider, this leaves a really bad taste with how Twilio handled the situation AS A BUSINESS.
This post seems fake.
There was a group of people archiving the public content of parler using this docker container
<a href="https://github.com/ArchiveTeam/parler-grab" rel="nofollow">https://github.com/ArchiveTeam/parler-grab</a>
and archiving it here
<a href="https://tracker.archiveteam.org/parler/" rel="nofollow">https://tracker.archiveteam.org/parler/</a>.<p>I can't validate anything else in this twitter post. The administrator accounts part all seems fake, unless anyone has found the rest of the content or has a better source?<p>Previous discussion deeming its fake here
<a href="https://news.ycombinator.com/item?id=25725268" rel="nofollow">https://news.ycombinator.com/item?id=25725268</a>
Can we get some better sources? This seems like an awful lot of hearsay, and there have been several comments from HN readers in this thread[0] and another[1] indicating that there is no public evidence to support these claims. Given that the author is alleging this is a crowdsourced effort, such evidence should be trivial to locate, but none has surfaced.<p>[0]: <a href="https://news.ycombinator.com/item?id=25727332" rel="nofollow">https://news.ycombinator.com/item?id=25727332</a><p>[1]: <a href="https://news.ycombinator.com/item?id=25725268" rel="nofollow">https://news.ycombinator.com/item?id=25725268</a>
AWS gives 5Gbps connectivity to instances, according to <a href="https://docs.aws.amazon.com/whitepapers/latest/ec2-networking-for-telecom/overall-instance-bandwidth-limitations.html" rel="nofollow">https://docs.aws.amazon.com/whitepapers/latest/ec2-networkin...</a><p>So, if the sum total of Parler was 70 Terabytes, as claimed... the transfer time would be 38 hours, if it was hosted on one instance... but it obviously wasn't. It was more likely only a matter of minutes.<p>This shows a new type of cloud hosting vulnerability. Your entire corporations infrastructure could be mirrored faster than you could notice.
How would disabling Twilio disable authentication entirely? From what I see it is used to send SMS and maybe Email as well. So I could understand that it would prevent login, registration and password reset if that service is offline, but it shouldn't allow any of these without authentication.<p>Unless the software skipped authentication entirely when this service was unavailable, which I find hard to imagine. But that seems to be what is claimed right now.
The explanation is a jumbled mess, but I think there are two key parts here:<p>1. Somebody reverse engineered the iOS app, which allowed them to access Parler's API and enumerate all of the content on the app<p>2. The Twilio shutdown affected SMS verification for new account registration, meaning people were now able to programmatically create many new user accounts which they could combine with #1 to scrape all the data without being rate limited
Wait. So how did it work exactly? Why would you get to reset password after clicking "I forgot password?"<p>I thought password reset flow is initiated from the email link not from "Forgot password" link and just paused till email link is clicked.
In the midst of all this, one thing always bite any site when some break-up happens:<p>>Also, a lot of posts were deleted by Parler members after the riots on the 6th. Turned out... Parler didn't actually delete anything.. just set a bit as deleted.<p>The perils of soft/logical delete instead of hard/real deletion.
Seems to be another faked "hack" of Parler. Does Twilio even have a user management component? Why is the explanation of the hack a jumbled mess?<p>I'll believe it when after private convos are leaked.
This twitter thread puts this in a bit different light, I think. <a href="https://twitter.com/davetroy/status/1327253991936454663?lang=en" rel="nofollow">https://twitter.com/davetroy/status/1327253991936454663?lang...</a>
Very shoddy development. It sounds that if there was ever a Twilio outage, the same vulnerability could have played out. Not hard to know how Twilio is used either, especially as employees come and go. This was a disaster waiting to happen either way.
This comment seems to explain what really happened best -<p><a href="https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_parler_user_data_is_being_downloaded_as_we/giuz38a/" rel="nofollow">https://www.reddit.com/r/ParlerWatch/comments/kuqvs3/all_par...</a><p>One 'hack' enumerating content<p>One 'hack' mass producing accounts to spam with
My question is-<p>Looking at this dump, it appears to just be URLS. If the site doesn't exist anymore than the URLs point to nothing.<p>What's actually exposed? What am I missing here?
If there is one lesson to be learned from these last few weeks it is that you can not rely on any external service if you do anything which goes against the dominant political narrative. I have never been on Parler's site so I can not check the veracity of their supposed implied or direct support for seditious acts but that does not seem to matter anyway, it is enough to stand accused to be considered a witch and burned at the stake.<p>Build your own is the device, keep your equipment on your own premises, make sure not to have single points of failure - that implies you need to have a backup access provider just in case your internet connection gets cancelled. Don't rely on electronic payment processors, you can use them but make sure to have a backup. Don't rely on a single bank, have multiple accounts, preferably in more than one country.<p>It is a sad thing that it has to come to this but I think we'll eventually end up with politicised service institutions which cater to "progressives", others which cater to "conservatives". They won't state this directly but it will be known that a conservative builder is better of at this bank and that insurance company, he'll prefer to buy this coffee and that brand of razor, etc. A shame, really, the more divided society becomes, the harder it will be to find a common cause when such is needed, e.g. in case of a national emergency like an epidemic.
Oh come on, it was a honeypot from the beginning.<p>Everybody in the last few days was talking about Parler -- they got more exposure than ever in their life. The takedown from AWS was announced a few days before, so more users could register. Parler was running a "Verified Parler citizen" (wat?) campaign, to gather more personal data. And now, hackers conveniently exposed everything. Hackers are unpredictable, you know.<p>I am not defending the Parler audience; the honeypot was elegant, but is it ethical?