Published by The Lawfare Institute
in Cooperation With
This piece has been updated.
Nobody needs a summary of the events of last week. The seditious insurrection in the Capitol will live in American memory for many years to come. As Congress turns its attention to presidential accountability, the U.S. government turns its gaze toward the domestic rioters, beginning the process of criminal sanctions against those who engaged in illegal riots. Meanwhile, social media companies and other tech firms have begun taking action to limit access to their platforms by those stoking violence—a step that will have long-term consequences and engender significant debate.
One would have thought that the violent physical riots had little to do with actual cybersecurity. And yet, a massive cybersecurity breach at Parler—a Twitter equivalent commonly used by Trump supporters—is likely to make it much easier for the government to prosecute its criminal cases.
The details are still developing, but the incident is of sufficient note that it warrants an early mention here. Parler, like most communications systems, maintained meta-data on its use and its users. Indeed, unlike many other systems, Parler requires users to provide a photocopy of identification (typically a state driver’s license) in order to be “verified” on the site. This ID, along with all the metadata for Parler posts—such as geo tags for images, IP addresses for posters and so on—was available to Parler administrators. Likewise, the actual content of Parler posts—videos, texts and such—was also available in plain view format to administrators. Given the role Parler appears to have played as a means of providing space for the coordination of the assault on the Capitol, this cache of information would, in the hands of law enforcement, be a treasure trove of leads and, ultimately, of digital forensic evidence that would be useful in proving individual criminal guilt.
What happened last night boggles the imagination. Twilio, a communications security company, announced that it was suspending services for Parler, along with a slew of other services. In doing so, Twilio seems to have accidentally also revealed which services it provided to Parler—namely, the security authentication services to register a new user. This, in turn, meant that anyone could register as a new user for Parler without having to verify their email.
A group of hackers were then able to use this vulnerability to identify which Parler users had “ADMIN” privileges. The hackers bypassed the verification hurdle by using the “forget password” link to take control of those identified Admin accounts—and, then, to automate programs to create an image of the entire contents of Parler. That image is now available on the network and thus is available for review by anyone in the public—including, of course, law enforcement officials.
One can only imagine how useful this will be to law enforcement. And it is a cautionary tale about the fragility of the security of private networks.
Update: Two updates and corrections to this developing story of which I was made aware after publication. First, Twillo has advised me that it has not issued any press releases pertaining to or referencing Parler. Furthermore, they tell me, Parler was using Twilio to send out identity verification codes for new downloads or password resets. Once a user was verified, security protocols were independently handled by Parler and did not involve Twilio or its products. Second, an individual who was involved in the collection of Parler data reached out via Twitter to advise that no meta-data was in the data collected.