Gettr, a social media platform set up by allies of former President Donald Trump, was still wet and squirming when it got hacked – twice.
The first slap on the rump for the politically conservative platform came in the form of Sonic the Hedgehog-themed porn that flooded it over the Fourth of July holiday weekend, as first reported by Mother Jones. Comments under the platform’s welcome message included pornographic images and GIFs, while users also spammed the platform’s first post with graphic hentai videos and images of Hillary Clinton’s face photoshopped onto a woman’s naked body, according to the outlet.
Next, on the day of Gettr’s birth, on Sunday, July 4, came the first hack, when the profiles of many prominent members were defaced.
The second cyber-assault came early today, (Tuesday), when hackers posted a database containing what they claimed were 90,000 users’ email addresses, usernames, status, location and more.
Gettr – a Twitter-esque platform with posts and trending topics – was quietly launched on Thursday by Jason Miller, a senior adviser to Trump who’s been teasing it for months. First spotted by Politico, Gettr advertises itself on the Google Play and Apple app stores as a platform “founded on the principles of free speech, independent thought and rejecting political censorship and ‘cancel culture'” and as “a non-bias social network for people all over the world.”
Miller confirmed to Reuters that the platform was briefly hacked on Sunday, as more than half a million people registered. “The problem was detected and sealed in a matter of minutes, and all the intruder was able to accomplish was to change a few user names,” Miller said in an email to Reuters.
According to Insider, the accounts were first hacked around 8:30 a.m. EST on Sunday, with most profiles restored by 10 a.m. EST.
‘JubaBaghdad’ Was There
Multiple Twitter users shared screenshots of the defaced profiles for some of the site’s most prominent users, including that of Miller, former CIA director Mike Pompeo, former Trump advisor Steve Bannon, and pro-Trump congresswoman Marjorie Taylor Greene.
Jason Miller's new right-wing social media site "Gettr" was hacked this morning. pic.twitter.com/cncddw9RZ9
— Zachary Petrizzo (@ZTPetrizzo) July 4, 2021
The profiles for Harlan Hill, Sean Parnell, the pro-Trump broadcaster Newsmax, and Gettr’s official support page were also defaced, as was first reported by Insider.
The profiles were changed to show the same message, which started out as “@JubaBaghdad was here 🙂 ^^ free palestine ^^” and then apparently switched to the message “JubaBaghdad was here, follow me in twitter :)”.
JubaBaghdad, who describes himself as a white-hat hacker, told Insider on Monday that Gettr managed to fix the poorly implemented API that he had pried open for the attack, but that the fix didn’t keep him from scraping user data from individuals’ accounts. He confirmed it by sharing details of a test account that was set up by Insider. JubaBaghdad said that the hack was technically “easy” to do – it only took about 20 minutes – and that his motivation was “just for fun.”
Next: The Stolen User Database
Then, in the wee hours of Tuesday morning, Alon Gal, co-founder and chief technology officer of the cybersecurity firm Hudson Rock, flagged the ripped-off database.
“Threat actors were able to take advantage of bad API implemented on Trump’s recent social media platform, Gettr (@GettrOfficial). This allowed them to extract usernames, names, bios, bdays, but most importantly, the emails which were supposed to be private, of over 85,000 users,” Gal tweeted, including images of the hacked data.
Threat actors were able to take advantage of bad API implemented on Trump's recent social media platform, Gettr (@GettrOfficial).
This allowed them to extract usernames, names, bios, bdays, but most importantly, the emails which were supposed to be private, of over 85,000 users. pic.twitter.com/NsKyz9zHmQ
— Alon Gal (Under the Breach) (@UnderTheBreach) July 6, 2021
One of the people whose email is in the database confirmed to Motherboard that they are indeed a registered Gettr user. The outlet further verified the database by trying to create accounts with other email addresses from the database. Its attempts were blocked by the site, which told Motherboard that “The email is taken,” suggesting that those email addresses do in fact belong to previously registered Gettr users.
Threatpost has reached out to Gettr support to verify that the platform’s user database was exposed, that a poorly configured API was the cause, and to find out if it has or plans to inform affected users.
A Predictable Pratfall
Data scraping can lead to targeting by cyberattackers. It happened last week, when the 1.2 billion victims of LinkedIn’s data scraping attack – a refined database of 88,000 U.S. business owners – was posted in a hacker forum.
Gettr may have been caught off-guard by the hacks, but plenty of people saw it coming. On the day Gettr launched, security and privacy researchers flagged Gettr’s poorly programmed, bug-ridden API. One of them as Ashkan Soltani, a security and privacy researcher and former FTC chief technologist who found one bug that would allow anyone to brute-force the app’s API by feeding it a list of email addresses and getting a response that shows which ones have successfully registered with Gettr, the other which allowed for the viewing of a list of users that any given user has muted or blocked.
Even with such basic functionality, GETTR already has a small privacy issue whereby you can indiscriminately query whether an email address has been used to register (with no rate limiting or token required)https://t.co/9izcGWT5TI pic.twitter.com/2hyiAIFHMa
— ashkan soltani (@ashk4n) July 1, 2021
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.