[commandlinefan]

> Its public API used no authentication. When users deleted their posts, the site failed to remove the content and instead only added a delete flag to it. Oh, and each post carried a numerical ID that was incremented from the ID of the most recently published one.

There's really nothing wrong with any of that, unless you're specifically coding to defend against content scraping. I mean, the whole point of a "tweet" or whatever they're called in Parler land is to be public and discoverable.

> failure to scrub geolocations from images and videos posted online

Worse, but again, was the site even supposed to be designed with anonymity in mind?

[whatshisface]

>Worse, but again, was the site even supposed to be designed with anonymity in mind?

According to reports from several HN users who tried making accounts, Parler requires drivers license photos as a part of the process you have to go through before you can post. Rather than being designed for anonymity, they seem designed to identify all of their users as unequivocally as possible.

[drew55555]

I had an account and you definitely didn't need a drivers license to post anything. I didn't have a picture or anything on my profile.

[disabled]

Yeah you never give out your drivers license number as an American (or passport number, for international users), and especially not for some sketchy social media platform. It’s an easy way to get your credit stolen.

Maybe they let people block out their ID numbers on the license photos, but I doubt that the vast majority of users there would even bother.

Some governments do have eIDs, that work cross-border, that are designed for both the public and private sector, with emphasis on security (although there are bound to be serious problems). This is the case in many European Union countries, and it will apply at some point to the entire EU: https://ec.europa.eu/digital-single-market/en/policies/trust...

[Zababa]

From what I understand, the drivers license photo was required to have your account verified, someone was talking about this here https://news.ycombinator.com/item?id=25730344

[jasonladuke0311]

So it was a honeypot.

[ashtonkem]

Stupidity is the most likely explanation, especially given literally everything else we know about their technical and legal approach. But I’ll agree that “it was a honeypot” conspiracies aren’t built entirely out of whole cloth.

[mikewarot]

If this twitter thread is right, it sure does look like honeypot

https://twitter.com/davetroy/status/1327253991936454663?lang...

[ashtonkem]

Schadenfreude non-withstanding, why didn’t more users see that as a massive red flag?

[gambiting]

Because 90% of people or more literally don't care. I bet if Facebook started asking to submit the scan of your credit card + photo ID + birth certificate, a LOT of people would comply. We are creatures of comfort and very rarely logic.

[jcranmer]

The topper is that it doesn't appear that requesting post #N did any checks for if you are allowed to see it (i.e., it doesn't check if post #N is private or deleted). That means that naïve content scraping will uncover private/deleted posts, which is the really big "oops" that Parler had.

[commandlinefan]

Ah - well, yes, that's worse.

[pavel_lishin]

> There's really nothing wrong with any of that, unless you're specifically coding to defend against content scraping.

> Worse, but again, was the site even supposed to be designed with anonymity in mind?

Yes! Privacy, security and harm/abuse mitigation must be one of the considerations when you're writing a project. This isn't even anonymity, these are basic safeguards one should put in place. Not doing so is like selling a car with no seatbelts, and arguing that there's nothing wrong with that unless you're specifically manufacturing to defend against car crashes.

This isn't like the argument about how many tests you should have and what kind; this absolutely must be one of the key things to consider when you're creating a project that's going to be used by people to communicate with one another.

[trianglem]

Was their security even supposed to work? Yes.

[freewilly1040]

Why is the auto incrementing ID bad? Easier to scrape, I suppose, if the db ID was in the URL

[mxxx]

If you’re not requiring any level of authorisation to enable someone to read a post (ie, this post has been removed, you can’t see it any more or this is a private post, you must be a friend of its author to see it), then you’re just relying on people not being about to guess it’s ID and grab it from the API. It’s a poor version of security through obscurity. Could have easily been rectified by using UUIDs instead of sequential integers (which is what I’m _guessing_ they used)

[frollo]

They used sequential integer, which means it wasn't even security through obscurity. There wasn't any form of security. Not even a post it with "please don't hack me".

With a browser and enough time at hand even my grandfather could have dumped their whole DB.

[cxr]

If by "dumped their whole DB" you mean "a snapshot of their public pages", then yes. Otherwise, no. This was an ArchiveTeam-affiliated scraping operation that relied on slurping down as much public-facing data as quickly as possible, just like their other efforts.

> When news of donk_enby's archival efforts broke, several viral tweets, Reddit posts, and Facebook posts claimed that she had captured private information, scans of drivers licenses and IDs, and other highly sensitive information. She said those posts are “not at all” accurate.¶ “Everything we grabbed was publicly available on the web, we just made a permanent public snapshot of it,” donk_enby told me.

https://www.vice.com/en/article/n7vqew/the-hacker-who-archiv...

Please stop making bombastic claims that will lead to people finding it easier to believe the kinds of unfounded rumors referenced above.

[flunhat]

> Worse, but again, was the site even supposed to be designed with anonymity in mind?

Given that a common conspiracy theory espoused on Parler is (was) that vaccines contained tracking microchips (?), I imagine Parler users expected at least some anonymity.