Access credentials for Campaign Sidekick app, used by Republican
campaigns for voter contacts, surveys and canvassing, were exposed in a code
repository within a publicly accessible .git directory, a version control
system that records code base changes during software development so that
developers can work from the same code.
“The same operations that make git useful for software
development, however, also make it possible for code to be exposed when
self-hosted git folders are misconfigured,” according to researchers at UpGuard
who discovered the repository in February and reported in a blog post
that it has since been secured. When a .git directory is configured for public
accessibility, as was the case for files hosted on campaignsidekick.vote,
anyone in the world can view all code and its history.”
Source code and credentials for the GOP app – including code change history since November 2016 – were found in the directory. “Additionally, the data exposed in this project included credentials for accessing the CPanel (website administration software) and Secure File Transfer Protocol servers of another U.S. elections-related company, Voter Gravity,” the researchers wrote. The scripts reveal how data was collated from sources like Facebook and “included identifying details of software developers working on the project who were located within, and residents of, India.”
Republicans have been using Campaign Sidekick, originally
referred to as Surge Data Technologies, since 2002 as campaigns moved away from
paper for large-scale canvassing.
The Campaign Sidekick repository also housed other credentials that bad actors could have “abused to compromise the confidentiality and integrity of data provided to and from their service, including a configuration file that included the app ID and secret key for a Facebook app, an API key and password for a CHargify account,” UpGuard said.
Noting political campaign staffs’ reliance on a “broad
ecosystem of third parties” and just how easy it is for attackers to access
sensitive data via vulnerable third parties Kelly White, CEO at RiskRecon, ‘it
only takes one mistake within a single app to expose sensitive voter data.”
White stressed that organizations that maintain election integrity must better “understand the security practices of all parties in the data chain of custody and hold those parties accountable.”
Campaign- and election-related apps are under scrutiny after the largely untested IowaReporterApp led to the state party’s vote counting woes during the Iowa caucuses and the Elector Election Day app used by Israeli Prime Minister Benjamin Netanyahu’s Likud Party exposed personal data on more than 6.4 million Israelis – in other words, the entirety of the country’s voter database.