Donald Trump’s presidential campaign has suffered another cybersecurity incident after a researcher found that his website had leaked personal documents related to interns.
Chris Vickery, MacKeeper’s lead security researcher, discovered that Trump’s website had a “serious misconfiguration” that exposed résumés belonging to interns that had applied to work for his campaign.
The résumés were stored on an insecure Amazon cloud server and the misconfiguration affected the asset repository.
“After discovering this asset server’s existence, and my URL fuzzer being met with code 301 redirects instead of code 403 denials, I started digging. Because directory listing was disabled, there was no easy way to enumerate folder names within the asset bucket. I was running through a small dictionary of common folder names when I got a hit on a folder named 'résumés',” Vickery explained in a blog.
Following this discovery Vickery guessed that the system used an automated script to name the files, such as “resume_1.pdf”, for example. This method yielded over 20 different résumés, which Vickery was able to download and access. Details available to see included, “personal details, work/education history, and references.” Some résumés would also have included phone numbers as well as home and email addresses.
Vickery stopped his investigation there, and notified Trump’s campaign team that their website was leaking personal information. Trump’s tech team eventually secured the data.
One perspective intern whose data was leaked didn’t seem too bothered by the breach. He told Motherboard: “Sucks that it was up for who knows how long, but my info is already in the hands of about every telemarketer and spam emailer in the world.”
While this may be a high profile case of misconfigured server permissions, it’s far from an unusual case, Jonathan Sander, VP of Product Strategy at Lieberman Software, said.
“The Trump website leak could have happened to anyone—anyone who is more concerned about business results than security. When you put it that way, it sounds as if the Trump campaign was extremely careless with this data, but the sad truth is that's not the exception, it is the rule,” he said. “Some person likely set up the system in the most expedient way possible, and no one reviewed the security until someone acted like a bad guy, which is the story of most breaches.”
"There's also a question here about the design of the system itself encouraging better security in how it walks the user through set-up. In the end, this falls to the person hired by Trump to do this configuration, someone who may today be heading towards the iconic "you're fired" right from the man who made it famous,” Sander added.
Trump’s website was hacked earlier this year, with Anonymous taking the credit, while his chain of hotels was also targeted by hackers, with payment data being exposed. Cyber defenses have played a big role in this election campaign, as Russian hackers have been accused of targeting systems belonging to the Democratic National Committee (DNC) in order to steal opposition research on Trump.
This issue, however, was very much avoidable, Vickery said, adding that it could have been a lot worse if he had continued with his investigation.
“We’ll probably never know how bad the exposure really was or what other files I could have found,” he wrote. “Let’s just hope that Donald’s team learned a good lesson here, and, if he is elected, that they are capable of guarding national assets better than their website’s assets."
Photo © uplift_the_world/Shutterstock.com