Beleaguered social networking site Gab was breached on Monday, marking the second time in as many weeks that hackers have gained unauthorized access to a platform that caters to users pushing hate speech and pro-Trump conspiracy theories.
The compromise came to light after someone hijacked the account of Gab founder and CEO Andrew Torba and left a post criticizing him for not paying an 8 bitcoin ransom for the safe return of documents used to verify the identity of some users. The unknown hacker also accused Torba of failing to disclose the full extent of the earlier breach.
Gab quickly took the site offline and removed the post, but not before it was archived here. When the service was restored a few hours later, a statement Torba posted said that Monday’s breach was the result of site administrators failing to revoke OAuth2 bearer tokens, which browsers and mobile apps store after a user has successfully logged in to a site.
“The attacker who stole data from Gab harvested OAuth2 bearer tokens during their initial attack,” Torba wrote. “Though their ability to harvest new tokens was patched, we did not clear all tokens related to the original attack. By reusing these old tokens, the attacker was able to post 177 statuses in an 8-minute period today.”
Gab’s failure to purge bearer tokens may have stemmed from unfamiliarity with the open-source Mastodon code the site runs or an unwillingness to require users to go through the hassle of resetting OAuth2 bearer tokens. The theft of the tokens came as a surprise to many because they weren’t included in a trove of hacked Gab data posted by the Wikileaks-style site Distributed Denial of Secrets following the breach.
“I think what’s noteworthy here is that they never knew this data was obtained, at least not based on their reporting,” Troy Hunt, owner of the breach notification service Have I been Pwned?, said, referring to this notification that Gab posted on Saturday. Hunt said he was also surprised that Gab has yet to enforce a mandatory password reset for all users. Such resets are standard practice after sites experience breaches that compromise user data.
The first breach came to light last Monday, when DDoSecrets said that it obtained 70GB of passwords, private posts, and more from Gab and was making them available to select researchers and journalists. The data, DDoSecrets co-founder Emma Best said, was provided by an unidentified hacker who breached Gab by exploiting a SQL-injection vulnerability in Gab’s website code.
Trying to stay afloat
Shortly after the first breach was discovered, someone at Gab patched a critical SQL-injection vulnerability that was introduced into the website code by site CTO Fosco Marotto. Marotto declined to say if that vulnerability was the one hackers exploited to take over the site, but the bug’s introduction early this year and its removal so soon after the site compromise stoked speculation that it was indeed the one used in the hack.
Marotto didn’t immediately respond to an email seeking comment for this post.
Gab has been struggling to stay afloat for more than two years as it continues to provide a haven for hate speech and conspiracy theories. In 2018, Google removed the Gab app from the Play store for terms of service violations. A year later, web host GoDaddy terminated service to Gab after one of its users took to the site to criticize the Hebrew Immigrant Aid Society shortly before killing 11 people in a Pittsburgh synagogue.
Following the January 6 storming of the US Capitol by pro-Trump extremists, Amazon and other web hosts have refused to provide service to the site, citing its inability to moderate user content including unfounded claims by Torba and users alike that the 2020 election was stolen from former President Trump.
The revelation that the earlier hack exposed OAuth 2 bearer tokens leaves open the possibility that those responsible obtained other types of sensitive user data. And if that’s the case, Gab’s security woes may still not yet be over.