Was Parler just a ‘honeypot’ after all?

Parler is a social media platform that has been around since 2018, but rose to some prominence last year (2020) when a number of ‘pro-Trump’ conservative voices in the USA started getting banned from Twitter.

Long-term readers of this site will know that the Grumpy Owl does not have any presence on Facebook or Twitter, though I did sign up to both Gab and Parler, but never really got active much on either platform.

Early this year (2021), prior to the inauguration of Joe Biden as Donald Trump’s successor as President Of The USA, there was a much-reported ‘riot’ and storming of the Capitol building in Washington DC, and Parler caught a lot of flak, with accusations that this ‘riot’ was organised by pro-Trump supporters on their platform.

Parler was eventually blocked by both Apple and Google from listing their app in their stores, and Amazon suspended their AWS hosting account, which essentially shut down the website.

But prior to the site being shut down by Amazon, it was subject to a ‘hack’, which saw 56 terabytes of data, including user accounts, posts and images/videos, being downloaded.

This article goes into some lengthy detail about this ‘hack’: https://observer.com/2021/01/how-parler-was-hacked-on-wordpress-risk/

I didn’t even realise at the time that Parler was built on WordPress, that was news to me.

What I did find ‘odd’ at the time was that in order to become a ‘verified citizen’ on Parler, one had to upload images of their driving licence – which ruled me out as I am neither a US citizen, nor do I hold a driving licence!

I do remember from 2020 that there was a ‘big push’ amongst alternative circles to get people to switch from Twitter to Parler.

I was concerned at the time that perhaps Parler was being pushed and setup as some kind of ‘honeytrap’ – after all people were eager and keen to move from Twitter to this new ‘free-speech’ platform.

Parler’s designers didn’t restrict access to the API by requiring authentication. Users did not need specific credentials to access the data on the back end. That left an enormous back door open.

Most websites aware of basic security protocol don’t allow access to the API without some form of user authentication to ensure the request isn’t malicious. As The Startup pointed out, two common authentication solutions are API keys and “tokens,” both of which require some valid credentials that also allow the website to know who’s accessing the data.

No authentication requirement left a door ajar. On top of that, Parler’s designers didn’t bother to add a second layer of defense in the way of rate-limiting—meaning instead of a door ajar or left cracked, the door was wide open.

Rate-limiting caps how much data a user can access regardless of credentials. Web users may have seen 429 “Too Many Request” error messages out in the wild, which is a sign that there have been too many knocks or attempts to pass through the door. Parler didn’t have this, either, which meant that once the unsecured back end was accessed, @donk_enby was also able to archive Parler’s data within 48 hours. (Oddly enough, as The Startup pointed out, Amazon Web Service has a basic firewall option that Parler didn’t seem to bother with.)

Finally, Parler also allowed posts its users believed were deleted to be both available and easily discovered once someone was in the back end. In the aftermath of the deadly riots, some Parler users, aware of the reams of evidence available on the web, encouraged others to delete their posts from January 6.


Now I use WordPress myself both on this very site, and others that I have built and maintained, and I do find this a little questionable, WordPress itself does have its own API interface, and plugins can expand on this API capability.

I guess the question begging to be answered here, were Parler so desperate to get people onto their platform that they overlooked these basic security measures as an ‘oversight’? Or was the operation set up deliberately in order to ‘harvest’ conservative ‘right-wing’ voices, ready for a ‘hack’ which could acquire mass amounts of data on such ‘dissenting voices’?

Regardless of whether you believe there was a ‘riot’ at the Capitol building or not, the fact that people involved had their Parler activity handed over to law enforcement agencies should raise some concerns for all.

It appears that Parler has been back up and running since February 2021, though as a member I did not receive any notification from them to inform me of this.

Looking at the source code of the site, it does not appear to be WordPress-based now, not that I can see anyway.

I also note that certain people that I do follow, who have a presence on Parler, have not been advertising the fact that Parler is ‘back’, and that we should be following them again on that platform.

So yes, I do have my own doubts and reservations, and wonder if the Parler ‘fad’ is now over, because it has served its purpose?

Was Parler just being used as a ‘honeypot’ in order to harvest data? And can it still be considered a ‘credible’ alternative social media platform?

Please let me know your thoughts!

%d bloggers like this: