Categories
Security

Gab.com compromised the data of its users

Gab.com is a free speech social network, you can say whatever you want without being censured. It has been very fashionable lately and has mostly attracted the attention of the right (and far right) of the United States. On February 26, 2021, database passwords were leaked or stolen from this website. In Fig. 1 you can see the information provided by the Facebook browser if you go to about:logins?filter-gab.com.

firefox filter logins
Figure 1. Filtering displayed in Firefox browser

The Have I Been Pwned website is a database with more than 500 security breaches. They’re not all here, but it’s a very representative part of the total. These security breaches are leaks of your data by pages that by an oversight (or not) have allowed criminals to access their systems and download the user database.

Accessing gab.com without actually accessing

I access gab.com with an account associated with john@mailinator.com by following the steps in Internet security breaches that expose your data. Inside gab you would see something like what is shown in Fig. 2. The account alias is @donadltrump. I didn’t choose him, he was the first person to use that account.

gab home
Figure 2. Web of gab.com

You can access a gab.com without actually using your data. Therefore it is a disposable account gab.com associated with an email that is public. That way if my data is leaked in the future it is very likely that they will not fill out even spam email. The FBI if it manages to access user data on this page, it will reach an account that belongs to a public mailinator.com. Your true data will not be affected.

Gab.com with a fake account

To verify the security of the page I used the account associated with the john@mailinator.com. Anyone can use this email address without knowing the access password. You have to access mailinator.com, put John’s mailbox and inside the gab.com choose the REMEMBER PASSWORD option. The reset will reach John’s account and you create the password you want.

security gab.com
Figure 3. Account details in gab.com

How the leak occurred

It is very interesting the twitter thread created by Troy Hunt, a world-famous security expert. This thread puts the dots on the íes and fixes the rather important errors of the administrators of the gab.com.

Troy quotes a ridiculous tweet from gab’s own Twitter account. It is a fairly common practice for an organization to post a public statement after a violation or even, as the initial phrase of the tweet suggests, an “alleged” violation. Most organizations start with “we take your data security seriously,” talk about credit cards, and then promise to provide more updates as they become available.

Gab’s approach … Differs. The leak was reported through the wired page and according to Gab’s managers who commented that reporters were “essentially helping the hacker in his efforts to defame our business.” There’s no point in them saying they’re helping hackers if Wired’s article echoes that leak, has already been carried out and they make it public for people like you and me to find out.

Passwords are weak if they’re easy to remember

It is also striking that they comment from gab the following “It is standard practice for passwords to have hashes. If the alleged violation has occurred as described, your passwords have not been revealed.” This is a lie and ignores the simplicity of hash decryption. I talked about this in What are hash functions and their use in passwords.

If the password is “maga2020!” or “123456” it has already been revealed. Just go to multiple web pages online, put that password to get the hash and then compare that hash with the one that has been filtered online.

contraseña 123456
Figura 4. Contraseña que se ha utilizado 24 millones de veces asociada a 123456.

The legendary session cookie

One detail that does not escape my attention is that the page has a session cookie that lasts 1 year. That is, if on the same computer on which I am accessing the gab.com will keep me online for a year. The session is not closed for another year. That information can be if you access the EVENT INSPECTOR of the browser you are in.

cookie de sesión

Summary

Data filtering today is a very important problem on web pages. There’s a mountain of data, our data, and there are people out there who love them. It’s not a good idea to act like you’re a brother-in-law giving absurd explanations that only your acolytes understand. If you’ve first leaked the data, don’t blame the messenger and act accurately and appropriately to mitigate the damage.

Gab.com leaked data from thousands of users. The incident ejected about 70 gigabytes of data including 4 million user accounts, a small number of private chats, and a list of public groups. Only a small number of accounts included the email address and passwords stored using hash bcrypt with a total of 66,000 unique email addresses.

Internet security has to take more weight to prevent leaks from occurring. But if they happen, please don’t act in a way that blames the messenger instead of taking the blame yourself. Security starts with you.

Leave a Reply