In the days since the United States’ presidential election, incumbent President Donald Trump has spent most of his waking hours alleging various voting fraud schemes. The “investigations” into those claims have actually compromised voter data in Arizona, opening the system up to SQL injection and other cybersecurity attacks.
Cybersecurity consultant Todd Rossin stumbled upon the vulnerability in one of the Trump campaign’s websites and posted his findings on the r/privacy Reddit forum, where it quickly garnered attention from the community. The website in question, DontTouchTheGreenButton.com, was supposedly created to allow voters in Maricopa County — one of the last to report votes in the swing state — to address voter fraud concerns.
The website is entirely unsecured, Rossin says, and its exploitation could efficiently expose swaths of voter data. In his harried attempts to challenge his loss, Trump is creating more problems than he’s solving.
Not even a little secure — Phew. Perhaps the most impressive part of this ordeal is that the website in question’s security is so incredibly bad that hacking it is almost too easy to be called hacking at all. A simple SQL injection — whereby the attacker inserts malicious code into an entry field — does the trick.
Ray Kelly, a security engineer at WhiteHat Security, told ThreatPost that the site is a perfect example of “rushing to market” without completing the requisite cybersecurity measures. “A simple security scan would certainly have found the SQL-injection vulnerability in minutes and prevented the sensitive data from being pulled from their database.”
Another cybersecurity expert, Richey Ward, saw Rossin’s original Reddit post and tried it out for himself. He found he was able to access a database of more than 163,000 voter names and addresses with just a few lines of code. The database also includes dates of birth and the last four digits of voters’ social security numbers.
Let’s hope this gets taken down — At the time of writing, the website is still active. About 12 hours after Rossin’s original post, the site’s API was updated to remedy this particular vulnerability — but the site’s security is still “garbage,” Rossin says. The site still receives a failing grade on Mozilla’s website security checker.
And this is only the first instance we’ve seen reported — given that the Trump campaign has made a myriad of hasty websites since Election Day, there are doubtless others with huge security flaws, too.
The Maricopa County Elections Department has been made aware of the issue. It’s unlikely the Trump campaign will face any repercussions for this immense security flaw. It may also do nothing about it considering it's far too busy trying to fabricate evidence for its claims around the election.