Gab Public API access

12/06/2021

What is a Gab public API?

It's an API-URL (Application Programming Interface - Uniform Resource Locator) website address that is available for public viewing simply by going to the address in a web browser.

List of Publicly accessible API's (subject to updates):
https://gab.com/api/v1/account_by_username/username (Replace the end 'username' w/the username desired)
https://gab.com/api/v1/accounts/10000 (Replace the end number w/the UID# desired)
https://gab.com/api/v1/expenses (Returns in response the current % of funds met for monthly operation expenses)
https://gab.com/api/v1/groups/12 (Replace end number w/the group # desired to see their stats. +)
More specific information on use explained below.

Baseline URL example for user info by username: https://gab.com/api/v1/account_by_username/a

The above API/URL can be used to determine the UID# (user id #) of any user. It will also show you the exact server time/date when the acct. was created.

You can also search a user acct. name to see if a user has been reported and declared a bot (even if the profile will not load, this will), as it will be noted as 'True' for the appropriate 'is bot' field in the record/manifest (Json formatted) or it will throw an error as a response, indicating that the acct. has been 'removed'.
(more about 'removal' later).

The above will show you in the API code response for Andrew Torba's account date of creation of the account and the UID# assigned. What you see in the code results, is basically a manifest of information formatted by the database to be read into each users profile page.

To use the API URL, simply replace 'a' w/the username of the acct. upon which you're seeking information and open the page in your browser..

Example: https://gab.com/api/v1/account_by_username/e

*The above link will show you the very first acct. created for the Gab platform. (note the UID# is 1) Back when Gab first started and was running on .ai and an MS Azure cloud w/framework utilizing Laravel/php for session management. (Gabs lesson learned? MS is not your friend)

So, once the UID# of a username is acquired, there's another Public API that allows you to inspect users by their UID#
https://gab.com/api/v1/accounts/31 (as in the example above for Andrew Torba, this API also loads the same DB records (manifest) that loads his specfific info statistics into his profile page when you access it via a browser.
You can replace the number at the end of the link w/the number you're interested in at this point, and begin to see the aspects of what information might be acquired by cross referencing the info received from these two public API URLS.
So, what's the point Ink?
Well, there are several. (w/POC's, which I'll get into later, they include bots/scripts and scrapes)
For now, consider the following; https://codeberg.org/operator9/gab-user-scraper

There is also a public API for Gabs groups (by number) here: https://gab.com/api/v1/groups/12 (using Intro. Yourself group as example) and a searchable list of groups created by B-Tux at the following URL, though it hasn't been updated in quite some time.

https://btux.wtf/gab/gab-groups-search/ There is also a link there for Gab affiliated sites and a 'chat room' search feature.

So, how does one find these public API's? Well there's a few ways and one of the easiest is to use your browser developer tools and watch the packets being sent in the DOM/Network areas, or you could use a browser plug-in/extension like 'LiveHeaders' to capture data packets live. SocSpy, WireShark, Nmap etc (packet analysis tools) can also be used.

Scanners developed for specifically finding API site vulnerabilities (such a TruffleHog) are also an option, though I wouldn't recommend the above for anyone who doesn't understand passive/anon-scanning while pen-testing.

So what's the difference between a Public API and a Private API?

Stay tuned., as it'll all make sense in the next post.