DEV Community

Eva
Eva

Posted on • Edited on

The day I broke Gab.ai

Intro

As a social network, Gab is trash... but a great way to learn from other people's mistakes, and that's what this post is all about!
They have a JSON API (only used internally, they don't talk about it anywhere) for basically everything, and most things are not rate limited.
Obviously, I wanted to see what I can do.

The beginning

Once I wrote PHP functions for everything the API had to offer, I made a simple bot that would take the messages people sent, passed them through Cleverbot and posted the answer...
Until it wasn't working anymore, my IP was blocked from viewing my notifications. Forever.
I thought about all the bot accounts that followed me as soon as I created my account. They probably don't limit when you follow people!
And turns out they don't. And looking at your timeline isn't limited. My plan: Follow every single user and look at my timeline to see if anyone mentioned the bot.

The mess

I set it up so my bot follows about 100 users every 5 minutes, I looked at my follow count from time to time then went to bed.
2 March 2017, Gab is having trouble loading, other people are starting to report the problems, I just think they are getting ddossed by some skid.
The next day, everyone was getting 502 or 504 errors, meaning we could not message @support to ask what was going on.

The aftermath

After a week or so, everything was back to normal.
I went to tweak some things on my bot, but the account disappeared, that's when I realised I was probably the cause of this.
It followed 145k accounts at a slow pace, and all it was doing was check its timeline like a normal user would.

Lessons learned: check if your whole website can be killed by simply following a lot of people, limit your API even if you think you will be the only one using it.

Note: This can still be done, it doesn't look like they fixed anything.

Top comments (2)

Collapse
 
a_russian_bot profile image
Russian Bot

Gab is a UI disaster, in a digital ghost town with no sheriff. I believe the editors at columbianpost.com did a piece on how easy it is to abuse the API, as well as the lack of any measures to prevent DM spam or mass following the entire user base lol.

Collapse
 
math2001 profile image
Mathieu PATUREL

Interesting. I'll remember that when I'll create my own API.