The day I broke Gab.ai
Eva Sep 13, 2017
As a social media, Gab is trash... but a great way to learn from other people's mistakes, and that's what this blog post is all about!
They have a JSON API (only used internally, they don't talk about it anywhere) for basically everything, and most things are not rate limited.
Obviously, I wanted to see what I can do.
Once I wrote PHP functions for everything the API had to offer, I made a simple bot that would take the messages people sent, passed them through Cleverbot and posted the answer...
Until it wasn't working anymore, my IP was blocked from viewing my notifications. Forever.
I thought about all of the bot accounts followed me as soon as I created my account. They probably don't limit when you follow people!
And turns out they don't. And looking at your timeline isn't limited. My plan: Follow every single user and look at my timeline to see if anyone mentioned the bot.
I set it up so my bot follows about 100 users each 5 minutes, I looked at my follow count from time to time then went to bed.
2 March 2017, Gab is having trouble loading, other people are starting to report the problems, I just think they are getting ddossed by some skid.
The next day, everyone was getting 502 or 504 errors, meaning we could not message @support to ask what was going on.
After a week or so, everything was back to normal.
I went to tweak some things on my bot, but the account disappeared, that's when I realised I was probably the cause of this.
It followed 145k accounts at a slow pace, and all it was doing was check its timeline like a normal user would.
Lessons learned: check if your whole website can be killed by simply following a lot of people, limit your API even if you think you will be the only one using it.
Note: This can still be done, it doesn't look like they fixed anything.