Tag Archives: Hacking Is Illegal

The Gab Fail Chronicles: LOL DDOS, EULA, and NAZIS

Club Pepe

The dishonesty of Andrew Torba knows no bounds in the latest postings. The reality of the mater, as I understand it, is most of the down time was related to fixing the major security issues I’ve raised over the past few days. I do not know how much of it was fixed, but I’m sure there still are major problems to be found. Mr. Torba was well schooled the past few days, the usage of CloudFlare isn’t a magical shield of protection against everything.


It is common knowledge trying to do any kind of DDoS attack on a ClouldFlare IP will be futile with little to no needed intervention to block such an attack. His screams of DDoS is fairly laughable as the vast majority know, I do not engage in such ineffective behaviors, and I have always been against it. He will continue to tell lies to rile his angry Neo Nazi Muppets for exposing how bad Gab really is as an alternative to Twitter. It would be really ironic, if he rallied them for the real reason, exposing Gab as a massive fraudulent security black hole. I’m just not intimidated by his Neo Nazi Muppets and there isn’t anything anyone can do to stop me from publishing write ups about Gab. My words, on a computer screen, are far more deadly to Gab’s platform than any silly illegal attack nonsense.


The greatest issue I see here is why was any of this never fixed to begin with, or even considered to be an issue? If it took me 10 minutes to see major issues all over the place, does Gab really take the security of it’s users seriously? It’s just no, they don’t take security seriously, if the most basic skiddiot Hack Forums (There has been some claims Torba is regular of Hack Forums for irony) style methods work unchecked. This further solidifies Gab as being another pump and dump scam by Torba when a lot of the basics are not covered at all. Gab doesn’t even have a logout button, but they have an account delete link, that’s curious indeed! You have to change your password via a forgot your password reset link on the login page, and this is the recommended way by Gab Support LOL. UPDATE: Apparently there is a Logout button, in the Settings page, all the way at the bottom. That makes sense … if you’re on drugs.



I don’t wish to keep this post longer than it has to be but it’s worth mentioning parts of the updated EULA were a result of us. It’s humbling that Torba spent the day at his lawyers thinking of us, as he pushed out a new EULA from his nether regions, that still didn’t impress Apple enough. Even the greatest eJournalist to ever live, Ron Brynaert, noticed this updated EULA with the “snitch” clause. I’m not going to spoil the rest of it but any users of Gab really do need to read the updated EULA as well as the Privacy Policy.


Destroying Gab, with words, on a screen, but at least it’s not LiveJournal!

“build it yourself social media back end for blog comments”


Greetings Kids,

It’s been a while since I did a post exposing and pointing out major flaws while laughing hysterically. This might be the worse one yet, especially if the information about Gab’s founder, Andrew Torba, are correct. The reason he got kicked out of the big kid clubs was because he kept doing pump and dump schemes selling everyone’s data afterwards. I don’t know if his new social media platform will be the one project he isn’t going to abandon after raking in all his donations, we can hope this “Free Speech Warrior” will surprise everyone?  😉 Tigers can change their stripes guys, you just gotta wish and believe really hard? Is Gab running off of a $49 build-it-yourself social media kit an indicator of possible doom? Did Gab stopped doing live notifications for some nefarious reason? Nah! Of course not!

Gimmie Info

A lot of people heard of this social media platform because of Twitter’s lack of sanity and political censorship, which gets worse every year as stock prices keeping going lower and lower. Gab’s marketing was literally just “Got banned on twitter? Come to Gab! We’re different!”. When I eventually got in, it was a pro-trump utopia, but I never saw anything I’d really say is that bad. It was the biggest self serving hugbox I’ve ever seen and puts any SJWs to shame. You’d get live notifications with a frog croak that sounds like a small animal dying, 300 char posts where you could write something meaningful, but it was lacking a lot of basic features. A major one was private messaging as well as a lack of an API, which becomes apparent why the further I dug into it.

Pusher Gab API Pusher Gab API

External Images Loading

When I first started looking into the back end with my favorite debugging proxy fiddler, I noticed literally everything is written in JavaScript (can I emphasize literally?), and all the interactions between between gab’s server and the browser was all JSON. The biggest issue I saw was the Cross Site Scripting potential of this setup, as gab was actually pinging every single website, then having a client’s browser do direct requests to the website in order to having a fancy display summary images and such. This effectively has the potential to harvest any user’s IP address, and since it’s all in JavaScript, high potential of Cross Site Scripting drive by deanonymizing. After announcing a bit of this in public, some people have in private confirmed this not just likely but they can do Cross Site Scripting attacks on Gab. Say what you want about Twitter, but at least they have CDN caching to prevent leaking their own user’s information. But Gab DOES have a CDN from Microsoft Azure for static assets, so why are they not protecting their user’s information? The conclusion I’ve come to is Gab is made to be as cheap as possible but still somehow work dangling off a cliff. The reason why they have no API is because the API is pusher.

No Infrastructure

This isn’t suspicious at all!

The next surprise was looking at the home page on Gab, and seeing there was some kind of stats collector. I initially overlooked it, but I didn’t realize the significance until I did a second glance. This was some kind of build it yourself social media rapid deployment kit for dummies that handled all the back end work done. I browsed over to the pricing plans they had, did some collection as to current Gab’s usage of approximately 30k posts per day they seem to just fall into the $49 Startup plan at present. I suspect live notifications stopped working for a bit sometimes, because it might be a way to save from having to upgrade to the next paid plan, or it could just be incompetence, it’s honestly hard to tell.

Pusher Pricing

I do know someone is going to say the what if they did the custom solution consultation but pusher is for stuff like live chats and blog comments, not a knock off improved twitter, which is really 300 char blog comments. The amount of money spent doing that kind of consultation is way above making a deal with a single developer (or many) to help build it at a fraction of the price, or in this case a single developer rigging pusher. I think they use pusher as a means to not spend money on proper hosting and a better solution, like GNU Social, which would require a back end with their own servers, or at least Amazon Cloud.

What can you do in minutes?

This is a very significant discovery, as it explains the lack of coming out with features that are trivial for even a single developer to do, because there just isn’t any support for their build it yourself social media back end for blog comments. Gab has been doing donation drives and giving people check marks to help support it but there really isn’t much cost to run it as biggest parts of it are cheaply outsourced like pusher. The “beta testing” of uploading images before it becomes available to everyone is likely related to Microsoft Azure’s CDN prices per GB.

I’m not going to claim this is some kind of scam like the rest of Andrew’s projects but if I was doing an exit scam, this is how I’d do it! Low overhead! He’ll get that sweet user data and PayPal logins via password reuse, that is in my opinion!

Disclaimer: !LOL! Hacking is illegal !LOL!

Last Minute Update:

The notorious hacker, known as 4chin, has contacted me to include a list of things you really shouldn’t do on Gab. There is no input validation and issues with authentication so don’t use wget or curl, passing the cookies + UA + appropriate POST data anywhere, that is just naughty. The Grand 4chin also informed me that their data was already being sold by Gab and they have no hashing on their passwords. LOL! This might be in relation to the current PayPal donations and those silly people who reuse their passwords donating (Just a theory). I’m not saying anything but I think those people are going to have a bad time. There goes the neighborhood, oh well, epic sad face emoji that 😦 can’t express

This Is Libel



I accept legal documents, requests, inquiries, and other related legal stuff I can post and publicly ridicule via email at LOLUMAD @ OCCULTUSTERRA DOT COM. You can optionally rage like a Muppet at 1-860-263-9252.

Random Updates!

gab-fixes-httpsDays after these issues were raised by me, they start fixing some of the problems. The downtime to fix these problems were conveniently claimed to be DDoS attacks by girlfriend in order to solicit malicious attacks against us for pointing out most of Gab’s security flaws. Talk about Free Speech, Amiright? They don’t seem to like our Free Speech much, I wonder why! LOL!