Threat Analysis of DDoSecrets Gab Release

Src: https://commons.wikimedia.org/wiki/File:Gab_Logo.svg

Preamble

Today we are going to look at the results of my analysis of the data in the said DDoSecrets release on Gab, a far right extremist social network. This will be detailing the potential impact on the social network and the implications this could mean for them.

• Demon Hackers
• Wired Article

How it was done

Src: https://git.rip/gab/gab-social/-/commit/fa8b6a33772327770df96249e40b26254c309d8f (Link is broken due to domain seizure) see https://github.com/WWelna/gab-social-mirror/commit/fa8b6a33772327770df96249e40b26254c309d8f

It is speculated that the breach originated by auditing their code base on code.gab.com and the careless disregard of the developer introducing SQL Injections in a multitude of places. There is no confirmations of how this was done nor any confirmations of the method employed from Gab at this present time (demons not included). What we know for sure is the developer responsible for Gab’s code base is lacking in basic security and technical skills along with limited familiarity with the mastodon code base to properly modify the code. The “comment out and remove everything that might be a SQL Injection” method to patching the vulnerability he introduced himself rather than using parameter binding, negating the issue entirely, is a high indication of the lack of skills to properly maintain and manage Gab’s code base.

There is no evidence suggesting any witchcraft, dark magick, or demons were involved thus far in the data breach. It is unclear if prayer and Gab’s certified team of exorcists had any effect on detecting and preventing the intrusion before more data was liberated.

• Mirror of their code base

How much data was extracted?

Left: DDoSecrets Gab Dump, Right: My scrap of Gab

According to what I can estimate, based upon the data that was liberated, it was not much.

The statuses from the breach only amounted to an estimated 23.4% of the total posts on Gab. This number was calculated by grabbing the statuses of each account in the list of accounts with the sum of the difference between the total statuses and the sum of all associated statuses located in the dump. We do get an estimated 166,462,727 total posts on gab at the time of the breach based upon this analysis.

If you compare the scrapes I did on Gab vs this data breach, there is clear gaps in the amount of data missing. A most notable example is on 11/03/2018 there is a total of 5 posts.

As for information concerning accounts, there was only 323 accounts, .00007%, of the total missing in the breach, which was calculated by checking each status and seeing if the corresponding account was in the list of accounts.

The overall security impact of the breach is negligible. Only 7,110 accounts had their password hashes compromised, which makes up .17% of the overall list of 4,117,381 accounts in the breach. The emails of 38,171 accounts was exposed, which is .92% of the overall total list of accounts in the breach. Only 7,102 accounts had both emails and the associated password hashes attached.

It is worth noting the passwords to join various Gab groups are not hashed and are plain text. They are often related to the topic of the group itself, and can be easily be guessed.

The @realdonaldtrump account on Gab was a mirror copy of it’s associated account on twitter until it got suspended. It now posts statements and communications relating to and from former president Trump. This account is run and managed by Gab itself, and the email address associated, kuhcoon.com, is a former failed project of Andrew Torba.

Activity of Gab

Src: Generated in libreoffice from stats

Out of a total 4,117,381 accounts, 23.7% of accounts have posted, and of that, 10.3% have posted more than or equal to 10 posts. If we consider these numbers are for the past 4 years, and accounts may have went dormant, total active users are going to be not very high. Due to an insufficient amount of information, an estimate can not be reliably estimated nor can a reliable count be obtained. These numbers are based upon the assumption the list of accounts and associated metadata are complete enough to show an accurate view of account activity.

Personal Information Concerns

Besides for the few passwords and emails mentioned above, there is an amount of personal messages between accounts.

The most notable is two accounts planning and exchanging doxes of Portland BLM and Antifa. The individual involved is very well known altright aligned troll with an extensive felony record along with previous charges concerning his violent nature towards women. He brags about his methods of terrorizing female BLM/Antifa activists with their personal information in detail. This is, to say the least, very disturbing, but yet typical behavior from the altright.

There are posts from protected accounts included in the dump, which may lead to concerns of identifiable personal information, depending on the nature of said protected accounts and their posts.

3/14/2021 — A new file was uploaded, verifications.2021–03–01.sql.zstd, containing the entries of 906 users with their corresponding verification status, their Gab unique user id, and a URL to what looks like pictures of them holding up IDs as part of the verification process for Gab. I assume this is part of the mosaics that were posted to verify the claims they indeed have them. For the obvious reasons, I have not tried to confirm if the URLS do indeed link to those pictures in question.

Conclusions

The vast majority of the data can be obtained by and through legal means using a data scraper. The security risk it poses to Gab and it’s user base by the release of this data is incredibly low. I was hoping I could use this in my own research but with how much of the statuses missing, I am not sure if it will be viable. None the less, this gives some important insight into the extremism mindsets that run wild over at Gab. This also puts some of Gab’s claims about an extortion attempt in a new light, as it’s my opinion nothing here is worth paying any kind of ransom over to keep hidden.

Updates

Src https://twitter.com/alibreland/status/1369040511865085957

3/8/2021 — There is now more concrete evidence of the extortion attempt on Gab. The mosaics are of Gab Pro users (donated/gave money to to Gab) with pictures of them holding up IDs. The second mosaic was posted in DDoSecrets telegram channel, and the third I have no idea on the whereabouts at this time.

3/14/2021 — It appears that git.rip domain has been seized that had previously hosted a mirror of Gab’s source code. I have put a backup of the code base here https://github.com/WWelna/gab-social-mirror and integrated the recent gab-social-march-2021.7z release that was published on https://code.gab.com/gab/gab-open-source

There is a new file in the DDoSecrets Gab release named statuses-2021–03–01.sql.zstd that I am in the process of acquiring. By the name and size, this might be more released gab posts that may bring the estimated total to nearly 50% of all posts.

Links

• Code: missing posts and accounts calculation
• Code: password and email calculations
• Code: posts per day calculations
• JSON: result of posts per day calculation
• Code: account creation per day calculations
• JSON: result of account creation per day calculations
• Code: account posting calculations
• Github: jdbtool that made this all possible
• JSON: daily post stats of my own scrape of Gab