Destroying Gab, with words, on a screen, but at least it’s not LiveJournal!

“build it yourself social media back end for blog comments”


Greetings Kids,

It’s been a while since I did a post exposing and pointing out major flaws while laughing hysterically. This might be the worse one yet, especially if the information about Gab’s founder, Andrew Torba, are correct. The reason he got kicked out of the big kid clubs was because he kept doing pump and dump schemes selling everyone’s data afterwards. I don’t know if his new social media platform will be the one project he isn’t going to abandon after raking in all his donations, we can hope this “Free Speech Warrior” will surprise everyone?  😉 Tigers can change their stripes guys, you just gotta wish and believe really hard? Is Gab running off of a $49 build-it-yourself social media kit an indicator of possible doom? Did Gab stopped doing live notifications for some nefarious reason? Nah! Of course not!

Gimmie Info

A lot of people heard of this social media platform because of Twitter’s lack of sanity and political censorship, which gets worse every year as stock prices keeping going lower and lower. Gab’s marketing was literally just “Got banned on twitter? Come to Gab! We’re different!”. When I eventually got in, it was a pro-trump utopia, but I never saw anything I’d really say is that bad. It was the biggest self serving hugbox I’ve ever seen and puts any SJWs to shame. You’d get live notifications with a frog croak that sounds like a small animal dying, 300 char posts where you could write something meaningful, but it was lacking a lot of basic features. A major one was private messaging as well as a lack of an API, which becomes apparent why the further I dug into it.

Pusher Gab API Pusher Gab API

External Images Loading

When I first started looking into the back end with my favorite debugging proxy fiddler, I noticed literally everything is written in JavaScript (can I emphasize literally?), and all the interactions between between gab’s server and the browser was all JSON. The biggest issue I saw was the Cross Site Scripting potential of this setup, as gab was actually pinging every single website, then having a client’s browser do direct requests to the website in order to having a fancy display summary images and such. This effectively has the potential to harvest any user’s IP address, and since it’s all in JavaScript, high potential of Cross Site Scripting drive by deanonymizing. After announcing a bit of this in public, some people have in private confirmed this not just likely but they can do Cross Site Scripting attacks on Gab. Say what you want about Twitter, but at least they have CDN caching to prevent leaking their own user’s information. But Gab DOES have a CDN from Microsoft Azure for static assets, so why are they not protecting their user’s information? The conclusion I’ve come to is Gab is made to be as cheap as possible but still somehow work dangling off a cliff. The reason why they have no API is because the API is pusher.

No Infrastructure

This isn’t suspicious at all!

The next surprise was looking at the home page on Gab, and seeing there was some kind of stats collector. I initially overlooked it, but I didn’t realize the significance until I did a second glance. This was some kind of build it yourself social media rapid deployment kit for dummies that handled all the back end work done. I browsed over to the pricing plans they had, did some collection as to current Gab’s usage of approximately 30k posts per day they seem to just fall into the $49 Startup plan at present. I suspect live notifications stopped working for a bit sometimes, because it might be a way to save from having to upgrade to the next paid plan, or it could just be incompetence, it’s honestly hard to tell.

Pusher Pricing

I do know someone is going to say the what if they did the custom solution consultation but pusher is for stuff like live chats and blog comments, not a knock off improved twitter, which is really 300 char blog comments. The amount of money spent doing that kind of consultation is way above making a deal with a single developer (or many) to help build it at a fraction of the price, or in this case a single developer rigging pusher. I think they use pusher as a means to not spend money on proper hosting and a better solution, like GNU Social, which would require a back end with their own servers, or at least Amazon Cloud.

What can you do in minutes?

This is a very significant discovery, as it explains the lack of coming out with features that are trivial for even a single developer to do, because there just isn’t any support for their build it yourself social media back end for blog comments. Gab has been doing donation drives and giving people check marks to help support it but there really isn’t much cost to run it as biggest parts of it are cheaply outsourced like pusher. The “beta testing” of uploading images before it becomes available to everyone is likely related to Microsoft Azure’s CDN prices per GB.

I’m not going to claim this is some kind of scam like the rest of Andrew’s projects but if I was doing an exit scam, this is how I’d do it! Low overhead! He’ll get that sweet user data and PayPal logins via password reuse, that is in my opinion!

Disclaimer: !LOL! Hacking is illegal !LOL!

Last Minute Update:

The notorious hacker, known as 4chin, has contacted me to include a list of things you really shouldn’t do on Gab. There is no input validation and issues with authentication so don’t use wget or curl, passing the cookies + UA + appropriate POST data anywhere, that is just naughty. The Grand 4chin also informed me that their data was already being sold by Gab and they have no hashing on their passwords. LOL! This might be in relation to the current PayPal donations and those silly people who reuse their passwords donating (Just a theory). I’m not saying anything but I think those people are going to have a bad time. There goes the neighborhood, oh well, epic sad face emoji that 😦 can’t express

This Is Libel



I accept legal documents, requests, inquiries, and other related legal stuff I can post and publicly ridicule via email at LOLUMAD @ OCCULTUSTERRA DOT COM. You can optionally rage like a Muppet at 1-860-263-9252.

Random Updates!

gab-fixes-httpsDays after these issues were raised by me, they start fixing some of the problems. The downtime to fix these problems were conveniently claimed to be DDoS attacks by girlfriend in order to solicit malicious attacks against us for pointing out most of Gab’s security flaws. Talk about Free Speech, Amiright? They don’t seem to like our Free Speech much, I wonder why! LOL!


4 thoughts on “Destroying Gab, with words, on a screen, but at least it’s not LiveJournal!”

    1. I can’t see the post as I’m not accepting the new TOS but my guess is something like “come at me bro”. Since it looks like the front end is entirely in JavaScript and I don’t program in it, I’d be pretty ineffective at looking into it. Others have looked into it and as stated, found some XSS and sent me proof of it as well as the database being compromised.


      1. From engineer @e:

        “@alexander I respect your opinions. I am just saying that post is 100% false and everyone is free to hack us if we have those vulnerabilities in that post.”

        in reply to me saying “@e Maybe if your CEO didn’t spend his spare time on the company twitter harassing peeps, y’all could be treated like grownups. Unfortunately Gab has some huge hurdles to jump over due to that.

        *the orig draft of this gab had “douchebag” and “egomaniac” omitted in order to stay professional*”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s