As outgoing US President Donald Trump rages, almost certainly without foundation, against the recent election, a highly embarrassing cyber-security mistake by his allies has emerged.
A security flaw on a website set up to gather evidence of in-person voter fraud in Arizona would have opened the door for SQL injection & other attacks.
An imperfect setup of this Trump website collecting reports of Maricopa County in-person vote irregularities exposed 163,000 voter data records to fraud, via SQL injection.
The bug, found on a site set up by Trump campaign called dontpressthegreenbutton.com, was discovered by cyber-security pro Todd Rossin, almost accidently.
The researcher saw a news story about alleged voter fraud in Maricopa County, which is home to Phoenix, Scottsdale & most of Arizona’s population.
The article explained that the Trump campaign has filed a lawsuit alleging that voters were tricked by poll workers into submitting ballots with errors, overriding the system by pressing a green button.
The news article linked to the site associated with the suit, dontpressthegreenbutton.com, which said it is collecting legal, sworn declarations of such fraud to be used as evidence.
Rossin clicked on the site & started looking around.
“I went to the Green Button site & made up a name, & then saw all these other voters’ names & addresses pop up,” Rossin explained. “I wasn’t looking for it but was surprised to see it.”
Rossin shared his findings on Reddit under his username BattyBoomDaddy, & the post quickly gained traction, racking up nearly 250 comments & more than 7,600 upvotes so far.
“Someone…ran a script to test out how easy it would be to pull the data and change the parameters to start with the letter ‘A’ & to stop at the first 5,000 entries – & bam, the first 5,000 names & addresses,” Rossin explained.
“Someone else used a SQL injection to pull names, addresses, dates-of-birth (DOBs) & last 4 of Social Security numbers.”
Plenty of voter data is public in Arizona, but Social Security numbers & dates of birth are supposed to be confidential.
API and SQL Injection
Rossin went on to say that he, along with others, reported the breach to the Maricopa County Elections Department.
“This is a perfect example of ‘rushing to market’ as it is clear that this site was rushed with little to no thought given to security,” Ray Kelly, Principal Security Engineer at White Hat Security, explained.
“For example, a simple automated security scan would certainly have found the SQL-injection vulnerability in minutes & prevented the sensitive data from being pulled from their database.”
Infosec professional Richey Ward saw Rossin’s post & decided to do a little digging himself. Ward shared his findings on Twitter, where he explained that he was able to access full names & addresses of 163,000 voters, tagging the Maricopa County Elections Department.
While this information is made publicly accessible to campaigns, Arizona law prohibits it from being shared via the web.
“Tracing this to a Algolia API call is trivial alongside API keys,” Ward wrote. “This allows anyone with the keys to query the data outside the website.”
Just hours later, Ward found that the API was taken down & no longer accessible.
“I was happy that people recognised it was a big deal,” Rossin added. “I also looked up Arizona law on it & the law specifically says that the information is not to be distributed & specially says not on the internet.”
While the obvious security vulnerabilities associated with the Green Button site have been addressed, Rossin, said the site is still far from secure.
“Yes, they pulled the API down,” Rossin outlined. “It still has very lax security.”
Rejected Voter Lawsuit
The attorney behind the Green Button lawsuit, Alexander Kolodin & his firm, Kolodin Law Group have not commented.
The security issue comes to light amid attacks targeting voters & voter data. Just a month ago, in the lead up to the election, voters were victimised by a phishing lure trying to convince them to give up their information.
Election cyber-security more generally is a crucial point of focus for campaigns & law-enforcement officials. It is up to campaigns to make sure their keeping their eye on security in all phases of their outreach.
“Looking at the evidence so far, it does indeed look like an issue for voter data exposure,” Brandon Hoffman, CISO at Netenrich, observed about the site. “These political campaigns, in their haste, are doing more damage to people than the good they can hope to deliver.
While everybody understands the desire & need for transparency & a fair outcome for all, they also have the utmost responsibility to voter to keep our information protected if they plan to use it.”
Despite the reported security vulnerabilities, the dontouchthegreenbutton.com site assures visitors, “The Republican National Committee & Donald J. Trump for President, Inc. will not disclose personally identifying information except as required by law.”
Netenrich added although this breach is associated with the Trump campaign, neither political party is effectively protecting voter data. In Sept., the official application of the Joe Biden campaign was found to have a privacy issue.
The Vote Joe app allows users to share data about themselves & their contacts with a voter database run by Target Smart.
The App Analyst noted at the time that “an issue occurs when the contact in the phone does not correspond with the voter, but the data continues to enrich the voter database entry. By adding fake contacts to the device, a user is able to sync these with real voters.”
“Both campaigns have now provided exposures of data for voters with no apparent ramifications,” Netenrich commented.
“If a lay person put up a website leaking Social Security numbers & addresses of people, they would likely be in jail & under litigation. The companies & campaigns that are using personally identifiable information of Americans must take the time & diligence to protect that data.”