Trumpland

Why MAGA Social Media Is a Hacker’s Wet Dream

AMATEUR HOUR

The flurry of social media apps aimed at conservatives promise free speech will reign—but more often than not they’re crashing and burning before they can even get going.

211029-conservative-social-media-hackers-hero_hha45z
Photo Illustration by Elizabeth Brockway/The Daily Beast/Getty

When a photo of a pig in an obscene position smothered in poop was posted to an account that appeared to belong to former President Donald Trump on his newest social media platform, it was clear that his so-called “Truth Social” had already fallen into a familiar trap.

Like Gab, Parler, and Gettr before it, Truth Social is just the latest alternative conservative social media platform to burst onto the scene and immediately bungle its debut.

And if its predecessors’ public fumbles are any guide, it’s not over yet, because the only thing more inevitable than a new app launch touting free speech is an embarrassing string of hacks, mass scrapes, pranksters taking advantage of loopholes, and content moderation dumpster fires that follow their debut.

ADVERTISEMENT

These kinds of incidents plague MAGA social media with such regularity that it raises an important question: Why are they all so bad at this?

Experts say that the teams behind the new crop of conservative social media apps demonstrate a critical lack of technical skills, experience in running major social media apps, and interest in or awareness of the kinds of threats that social media platforms face in keeping hackers, creeps, and terrorists from harming their users. And while Trump’s new app has yet to formally launch, security experts aren’t optimistic about how well it will fare against the dark side of the internet.

“A lot of these sites end up getting technical problems, a lot of these sites end up being compromised very quickly, a lot of these sites turn out to have data leaks,” Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, told The Daily Beast.

“And sometimes that is because they are immediately a target for hackers who want to make a political point—but sometimes that’s simply because they haven’t taken the most basic security precautions,” Galperin said.

“Some of it is definitely their own incompetence,” she added.

Hackers frequently look for loosely defended application programming interfaces (APIs), the foundation behind applications, Feixiang He, adversary intelligence research lead at security firm Group-IB, told The Daily Beast.

“Attackers systematically search for unprotected APIs in a bid to… extract large batches of data from vulnerable online services unlawfully,” He said. “Threat actors from time to time attempt reverse engineering against the target social network apps.”

Without “good API protection by design, proper access control, and solid anti-reverse engineering techniques of mobile apps,” social media platforms will, in due time, fail users, He said.

The security record for pro-MAGA social media apps isn’t pretty.

Gettr, the app launched by former Trump aide Jason Miller, got hacked on the day of its Fourth of July rollout. A hacker ,who goes by the handle JubaBaghdad, crashed the app’s debut by taking over verified accounts for MAGA celebrities Steve Bannon, Mike Pompeo, and Marjorie Taylor Greene. He then used them to push pro-Palestinian political messages.

Just hours later, someone scraped personal data, including email addresses, from 90,000 Gettr users and dumped them on the internet. For Gettr, the problem was with the API, researchers found.

Parler, the social media app founded with money from the wealthy Trump-supporting donors of the Mercer family, suffered similar problems shortly after the Jan. 6 insurrection when activists were able to scrape millions of posts and user content left easily accessible to the open web. Parler’s decision not to scrub revealing location data from the videos uploaded by its users allowed anyone to associate Parler user names with their potential homes and workplaces.

GettyImages-1230497032_g9r9lo

Hollie Adams/Getty

And in February, hackers dumped gigabytes of private messages and user data from Gab, a Texas-based far-right network home to a disturbing amount of antisemites and neo-Nazis.

The alt social media app ecosystem suffers from similar problems when it comes to trying to protect users from dangerous content like ISIS beheading propaganda or, in some cases, even child pornography.

"These new platforms have to try and learn all of the lessons of running a social network in a compressed time scale, so they tend to miss a lot of stuff,” says David Thiel, the chief technical officer at Stanford Internet Observatory, which studies social media platforms. “And a lot of times the people that are implementing this haven't been at a company that has had a significant trust and safety operation, so they just don't know the things they're going to be facing."

Stanford’s Internet Observatory published a study of Parler in January, which found that for much of its existence, the app relied on a mixture of user reports and volunteer moderators instead of paid ones to find and remove objectionable content. Court documents from Parler’s lawsuit against Amazon, which booted Parler in January after the Capitol insurrection, show that at one point Parler executives told Amazon the company was stuck under “a backlog of 26,000 reports of content” that violated Parler’s terms of service.

Parler’s former CEO John Matze, who sued the company after he was fired, said as much in a complaint filed in March. According to Matze, an adviser brought on by the Mercer family board to improve the app’s content moderation after Amazon withdrew its hosting, “lacked the technical know-how to actually run such a social media platform.”

Adam Hadley, the director of Tech Against Terrorism, a London-based nonprofit which works with smaller social media platforms to help them find and remove terrorist content, says moderation against extremist content is especially difficult for smaller platforms, which can struggle to find the resources to deal with the problem.

“You can be swarmed very easily by terrorist use,” Hadley says. “There's no easy solution. You need people to be making difficult decisions about content and before you even do that you need to know what your policy is and you need a press and PR capability to deal with media responses.”

Hadley’s nonprofit runs a free terrorist content analytics platform, which offers smaller social media apps free intelligence about when analysts spot extremist content on platforms, but even those kinds of resources aren’t always welcome.

“The problem with the alt tech platforms is that they don't want anything to do with us. When we approach them and say ‘Do you need some help?’ they almost always say ‘No.’” Hadley told The Daily Beast.

Gab CEO Andrew Torba declined to comment on security and privacy guardrails Gab implements, noting in an email, “We only do interviews with Christian media outlets and therefore we have no comment for The Daily Demon.” Gettr, Parler, and Truth Social did not return requests to comment.

Trump’s Truth Social app won’t formally launch until 2022, so it’s still too early to gauge how well the site will handle the security, trust and safety issues that have plagued its predecessors. But even aside from the incident with the barnyard bowel movement, the early signs aren’t encouraging.

Truth Social’s terms of service agreement shows few indications of forethought about how the company will handle these kinds of thorny issues. The platform’s agreement is mostly copied from widely used language found in the terms of service sections of hundreds of smaller websites like PatriotCoolers.com, who face a different threat environment than a social media app run by a controversial former president.

“It does not sound like [Truth Social has] a compliance team. It does not sound like there are lawyers on staff, or anybody even doing the basic due diligence in the same way it doesn’t sound like they have anybody doing the most basic security engineering,” Galerpin said, adding that its source code appears to have been taken directly from Mastodon, an open source social media network, but without jumping through all the appropriate hoops.

Mastodon put the pedal to the metal and sent a letter to Truth Social’s legal team last week in an attempt to get them to fess up to their slip-up.

For now, for the newest social media venture in MAGA-land, Truth Social, the future does not look bright, Galperin said.

”I imagine a series of embarrassing security and policy failures followed by a very boring fizzle. I don’t imagine any of these sites are going to replace any of the tech giants anytime soon.”