Running a Presidential campaign is hard. Proper cybersecurity is hard, too. The intersection of the two is doubly hard and missteps can be disastrous.
The current home page of DonaldJTrump.com
That’s why today’s update from Comparitech is so alarming. Researchers Bob Diachenko and Sebastien Kaul discovered a configuration error that impacted at least 768 websites.
One of those sites: DonaldJTrump.com, one of the many official sites that are part of the effort to re-elect President Trump in 2020.
The sites utilize a framework for web-based applications called Laravel. Diachenko and Kaul found that on those 768 the debugging mode for Laravel was left on after the websites went live.
Debugging mode allows coders to pinpoint errors and vulnerabilities. It’s meant to be used exclusively behind the scenes. Leaving debugging enabled while a site is live creates a massive security risk.
According to Comparitech’s report, these misconfigured sites exposed “backend website details like database locations, passwords, secret keys, and other sensitive info.”
On a subdomain of DonaldJTump.com Diachenko and Kaul were able to locate a text file that contained configuration data for an email server. That data was viewable in any web browser by anyone with the skill to locate it.
That information could have been abused by hackers to send official-looking emails or to move laterally through other systems connected to the DonaldJTrump.com site.
The Comparitech report is careful to note that evidence of a breach was not found. It’s entirely possible, however, that an unauthorized third party could have gained access.
Diachenko and Kaul first notified the DonaldJTrump.com crew on October 11. After five days of making additional attempts to contact both the Trump campaign and the NYPD commissioner’s office, the duo finally got a reply. The Trump team responded that the issue had been fixed.
It appears, then, that the vulnerability could have been exploited for a few days at minimum. The site may have been vulnerable much longer, however.
Comparitech notes that it’s impossible to say how long the server had been live with debugging mode enabled without a more thorough investigation.
Ultimately the length of time may not matter. Given the potential for misuse on such a high-profile site Diachenko says “Even 24 hours is dangerous enough.”
