A coding slip up made by social media site Parler offers practical lessons to the broader security community about the reputation fallout and even legal and competitive ramifications that can come with a failure in security protocols.

This week, users of Parler learned researcher had archived nearly all the posts to the social media site preferred by the extreme-right in the haze of the D.C. insurrection — including many of those that users thought they had deleted.

The researcher, who goes by @donk_enby on Twitter, took advantage of insecure direct object references (IDOR), a failure to secure unique parts of the site. In Parler's case, it played out like this: each post was given a numeric identifier. Anyone using the site's API could access a post by giving the number with no other authenticator. So, anyone who wanted to access every post ever put on the site could do so by requesting post one, then two, and so on into infinity.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.