Status: Occasionally Checking...

Bots, Scripts, Scrapes and Hacks

10/07/2022

This post is in response to a recent post by Andrew Torba.

On-Site Related Posts: Bots, Scripts and Scrapers , Gab Bot Creation Management
Below is a screen capture of Andrews post. (Please read it while I prepare to jump on my 'soapbox'.)

Okay, so lets take this one step at a time shall we?

A: Researchers have no access to our data.

Me: I disagree, as Gabs entire user base and the statistics of them all can be accessed via a single public API end point. At fault is Gabs entire user base being sequentially created and referenced by every profile on load by UID number, which should have been encrypted from the start, and those encrypted numbers used for platform access instead of the real UID number. Real UID's should only be accessible by Admins. In fact, in 2017 when myself and several others discovered that you could simply use Gabs search function on just a numerical search, the results would include the profile of the user associated with that user ID number. Andrew disabled this as soon as he was informed of the measure used to associate a UID number w/an account user name.

While Andrew states that Gab goes above and beyond to protect end users, in the end it relies heavily on the available  actions for end users to do it themselves via private accts., private/moderated groups, using the optional expiring posts and comms. via DM (not encrypted) and chats. My question is "above and beyond" what? Industry standards? You lost me there when you failed to encrypt user ID's. Even so, the steps Gab takes now weren't always in place or even considered. In fact, the first scrape of the user base that I'm aware of (screencap below) on Pastebin relied heavily on this very exploit and list all the donors screen names up until the date of the post. You get a screen capture because I won't post the URL nor the full content.

Furthermore, I will post these sources as proof that Gabs platform has been/can be and is scraped and manipulated by scrapers and automated browser bots.

garcop9, Autogrow 

While as Andrew suggests 'researchers can't tell the difference between 'us moderating/deleting an account and
someone self deleting their account/content', it can be said that someone monitoring the aforementioned sequentially created accounts can indeed tell almost in real time, accounts that are being removed for spam/porn TOS violations.

Hacks, remember the 'Fosco Fiasco' w/the 'live' open source code being exposed?
Cnet DistributedDenialOfSecrets

Giving up user account archives to LE w/out requiring a warrant? Portal for reporting?

I'm guessing some kind of NDA w/govt. as well after the Synagogue 'incident'.
* keep in mind, after the above mentioned 'incident' Andrews entire account was scrubbed of all content.
**Yours was not.

I question everything and value transparency.

That's it for now. *steps off soapbox*

GabMon website is
Powered by Webnode
Create your website for free! This website was made with Webnode. Create your own for free today! Get started