In one of the year’s weirdest attacks, a Gamergate-aligned troll has hacked the crowdfunding website Patreon, exposing 15 gigabytes of users’ personal information. People who don’t know much about the internet might need some help unpacking that sentence, but rest assured: this story is the perfect storm of angry black-hats, stupid admins, and pathos.
First, a glossary:
Gamergate is an anarchic collection of individuals who care too much about videogames. They formed as a backlash against prominent feminists who argued for more representation of women in the medium. Their more extreme members spend their time sending elaborately gruesome death threats to people (mostly women) that they disagree with. Their more moderate members spend their time telling anyone who’ll listen that in spite of what the extremists are doing, the core of their movement is focused on ethics in games journalism. They’re a strange and pathetic bunch.
Patreon is a crowdfunding website, sort of similar to Kickstarter. People pay their favorite artists a small monthly subscription, and in return, that artist produces work which can only be seen by their subscribers. It’s a neat experiment in how the creative class can earn a living in the 21st Century. Also, it has almost nothing to do with Gamergate in any particular way.
Hacktivism refers to the practice of hacking the internet presence of one’s political opponents, either to damage their ability to speak freely on the internet or to co-opt their media in the service of one’s own agenda or both. Examples of hacktivist organizations include the Syrian Electronic Army, Anonymous, LulzSec, and whoever hacked that one billboard to display an image of Goatse.
Now, the story:
The problem with hacktivism is that the people who have hacking skills aren’t likely to be the same as the people who are well-versed in political theory, propaganda, or marketing. For example, the Syrian Electronic Army may have found it easy to hack the Washington Post Twitter feed, but it probably did not convert anyone to the cause of Syrian President Bashir Assad.
Not really convincing, guys.
Similarly, the ideological underpinnings of the Patreon hack are… confusing, at best. Gamergate has no particular animus against Patreon. In fact, several of the movement’s supporters use the site to support themselves. Nonetheless, the hacker in question has publically admitted to hacking Patreon in the name of Gamergate.
Strangely this individual has also publically admitted to hacking several websites associated with Gamergate itself. This suggests two things. He might be an extremist in the movement who wants to punish its moderate supporters. Alternatively, he might be completely outside Gamergate and doing all of this simply to irritate a group of people who are legendarily easy to rile up. Either way, fifteen gigabytes of personal information, in part belonging to artists whose work I enjoy, are now in the hands of someone who is no doubt a deeply odious person.
Of course, I’m not letting Patreon off the hook for this one either. They were warned. Detectify, a security research firm, warned Patreon about a code library on their website. The presence of a code library is, in and of itself, entirely innocuous, but that particular code library, known as Werkzeug, will automatically enter debug mode when it detects an error in its associated web application. This debug mode lets you view and edit the website’s code in real time.
Werkzeug is not supposed to be run on any website that is live and open to the public, because any member of the public who causes an error on that site would then be able to go ahead and have their way with the site’s source code. This is exactly what happened to Patreon.
There was a five-day gap between the warning that Patreon received and their first indication that their site had been penetrated. This is, frankly, inexcusable. The ramifications of Werkzeug vulnerability are more than worrisome. Think about taking candy from a baby. Now think about that baby literally offering you its candy. That’s how easy it is to hack a site with this particular flaw, and it is astonishing that this error was not fixed.
I can’t claim to understand the mindset of someone who would not prioritize solving a mistake like this. All I know is that plenty of companies choose to believe that they aren’t targets — that they’re too small and inoffensive to make an appetizing target for a hacker. Here’s the thing though: ideological hackers don’t care that you’re small. They want to make a point. And given that they’re no masters of communication, they’re not likely to care when the target they choose has almost no relevance to the point that they’re making.