The beleaguered social networking site Gab was injured on Monday. This marked the second time in so many weeks that hackers had gained unauthorized access to a platform aimed at users advocating hate speech and pro-Trump conspiracy theories.
The compromise came to light after someone hijacked Gab founder and CEO Andrew Torba's account and left a post criticizing him for failing to pay 8 bitcoin ransom for the safe return of documents with which the identity of some users has been verified. The unknown hacker also accused Torba of failing to disclose the full extent of the previous breach.
Gab quickly took the site offline and removed the post, but not before it was archived here. When service was restored a few hours later, a statement released by Torba said the breach on Monday was due to site administrators failing to revoke OAuth2 owner tokens that browsers and mobile apps store after a user logs in successfully signed in to a site.
"The attacker who stole data from Gab harvested OAuth2 bearer tokens during their first attack," Torba wrote. “Although their ability to harvest new tokens has been patched, we haven't deleted all tokens related to the original attack. By reusing these old tokens, the attacker was able to publish 177 statuses in a period of 8 minutes today. "
Gab's failure to delete bearer tokens may be due to ignorance of the open source Mastodon code that the site executes or unwillingness to oblige users to reset OAuth2 bearer tokens. The theft of the tokens came as a surprise to many as it was not in a ton of hacked Gab data released wikileaks-style by the Distributed Denial of Secrets website after the breach.
"I think what's noteworthy here is that they never knew this data was obtained, at least not based on their reporting," said Troy Hunt, owner of the breach notification service. Was I pwned ?, referring to this notification that Gab posted Saturday. Hunt said he was also surprised that Gab doesn't have to force a mandatory password reset for all users just yet. Such resets are standard after a website breach that compromises user data.
The first breach became known last Monday when DDoSecrets said they had received 70 GB of passwords, private contributions and more from Gab and made them available to selected researchers and journalists. The data, said Emma Best, co-founder of DDoSecrets, was provided by an unidentified hacker who breached Gab by exploiting a SQL injection vulnerability in Gab's website code.
I'm trying to stay afloat
Shortly after the first breach was discovered, someone at Gab fixed a critical SQL injection vulnerability introduced in the website code by Website CTO Fosco Marotto. Marotto declined to say whether this vulnerability was the one that hackers exploited to take over the site, but the introduction of the bug earlier this year and its removal so soon after the site's compromise fueled speculation that it was, in fact, the one that was used in the hack.
Marotto did not immediately respond to an email looking for a comment for this post.
Gab has struggled to stay afloat for more than two years as it continues to be a haven for hate speech and conspiracy theories. In 2017, Google removed the Gab app from the Play Store for violating the Terms of Service. A year later, web host GoDaddy ended service for Gab after one of its users visited the website to criticize the Hebrew Immigrant Aid Society, just before 11 people were killed in a Pittsburgh synagogue.
The discovery that the previous hack revealed OAuth 2 owner tokens leaves open the possibility that those in charge may have received other types of sensitive user data. And if so, Gab's safety concerns may not be over.
Updated the post to remove the penultimate paragraph that contained incorrect information about Gab's relationship with Amazon.