Social network platform Gab was hacked, following a security flaw that allowed threat actors to download roughly 70 gigabytes of data, including private posts and messages.
The large trove of data was stolen and a ransom worth $500,000 bitcoin was demanded in exchange for the 70GB file. Reports said cybersecurity experts found out an SQL injection that made Gab vulnerable to attacks. This was introduced by the company’s own chief tech officer.
Threat actors named the stolen file GabLeaks, containing 70GB of public and private posts, user profiles, hashed passwords, direct messages, and plaintext passwords for groups. The transparency group DDoSecrets is offering to share the data set with journalists and researchers.
The security flaw introduced by the company’s CTO is known as the git commit, created last February. Following the discovery of the breach, Gab has reportedly removed the git commit from its website. Evidence showed 23 lines of reject and filter on the code, indicating that it’s trying to protect the SQL injection attacks.
Gab CEO Andrew Torba admitted the hacking saying, “The entire company is all hands investigating what happened and working to trace and patch the problem.” Additionally, the company is also working with law enforcement to get down into the problem and trace the threat actors.
Although the hackers demand ransom, Torba made it clear that Gab won’t fall into the trick. “The individuals holding us to ransom are extortionists. We do not pay ransom. We do not negotiate with extortionists. Period,” said Torba.
Addressing DDoSecrets’ intention of not releasing the data sets in public, CEO Torba said there’s nothing ethical about this move. In fact, he said these people aren’t ethical hackers as there are no ethics in targeting millions of Internet users.
Pitfall
Cybersecurity experts said the SQL injection is a major reason behind the breach, but it’s not 100 percent confirmed whether it has caused the vulnerability. Either way, experts claim find_by_sql method isn’t safe and could cause the pitfall.
What experts find ironic is that Gab’s CTO Fosco has warned fellow programmers about using parameterized queries as prevention for SQL injection vulnerabilities.
This isn’t the most recent issue faced by social network Gab, like last month, the company has briefly put the website offline due to being linked to a bitcoin scam. Gab has to take action to prevent the scam from exploiting more people into the platform.
