[German]The team of still US President Donald Trump has set up a website where people can report alleged election fraud for a law suite. A hot story, has among other things the flaw that the website probably leaked the data of US voters.
Advertising
The team around Donald Trump, who is still President of the United States, makes fun of the voters. Supporters are bombarded with e-mails soliciting donations for the upcoming lawsuits for election fraud. Now I read here that a large part (60%) of these donations will be used to pay off campaign debts.
And there is a website that was set up by the Republicans to report election fraud as cases for a law suite. The website DontTouchTheGreenButton.com was just launched by the Trump campaign …
Data of voters disclosed
Now Bleeping Computer reports here, that this website, that was hastily set up, was a data slingshot. On the website, users were able to view the data of other voters. The data included (is fixed) the name of the voter, his address and a unique identifier. However, there have been reports from users who claim that the website has SQL injection errors that allow the SSN (social security number) and date of birth of a voter to be determined.
This is because the DontTouchTheGreenButton.com website requires voters to provide personal information, such as name and address, telephone number, email address, date of birth and the last 4 digits of the Social Security Number (SSN), and answers to multiple choice questions. To limit the ability to make statements only to voters in Maricopa County, the site provides users the ability to "search" for their name and automatically enter their address.
Advertising
Since voter rolls are public information, the ability for anyone to look up this information is hardly surprising. However, a website should not have any privacy or data protection violations. Some users refer to the website as "hastily set up", with data leaks and SQL injection vulnerabilities.
BleepingComputer observed that the data was retrieved from the server using the Algolia REST API. The exposed API key and application ID in the request could allow anyone to programmatically execute queries to retrieve voter data en masse from the service.
Regarding privacy issues, some users on Reddit also claim that the website matches the name and address they submitted with the last 4 digits of the SSN that the user entered, and reveals the part of the SSN that the user entered. In the meantime, however, the API has probably been removed, and retrieval is no longer possible.
Similar articles:
Hotel reservation platform Prestige Software reveals hundreds of thousands of guest data
'Deloitte' site 'Test your Hacker IQ' leaked access data to user database
Ragnar Locker Ransomware Infection at Campari Group
Hackers publish stolen security information from Swedish security provider Gunnebo
Data leak: Amazon customer data were leaked (Oct. 2020)
Nitro (PDF) data leak affects Apple, Google, Microsoft & Co
German Software AG victim of Cl0p ransomware, data leak
