A newly released 63red Safe mobile app that aims to help wary Trump supporters find “safe” and conservative-friendly places to wear Make America Great Again (MAGA) gear turns out to have a host of security issues, according to one researcher.
Meanwhile, Scott Wallace, the Oklahoma-based mobile app developer behind 63red Safe (which is described on Google Play as a Yelp-like app designed “to keep conservatives safe as they eat and shop”) has not taken kindly to the findings. He’s accusing the researcher of hacking his database and has threatened legal recourse.
Alderson said that in taking a look at the publicly available source code, he found that Wallace had implemented an open API in order to communicate with the 63red Safe server, which contains the app’s database. The issue is that API has no log-in protection.
“In this case, they ‘forgot’ to implement an authentication mechanism,” Alderson tweeted. “It means everybody can use their API, it’s open bar!”
He also discovered that there’s a list of API endpoints in the app’s source code, making it possible for someone with a bare minimum of software engineering skills to more easily access user data stored on the server. This includes profile IDs, when the profiles were created, profile pictures, the number of people a user follows and is following, UIDs and email addresses. It’s also possible to block users and create new profiles, he said.
Alderson said that he was able to see that 4,466 persons created a profile on the app. He said he didn’t download the database, but he noted that it was possible to use two specific APIs requests to obtain the information.
“[Use] the ‘Get user by ID’ endpoint and do 4,466 requests to get all the user data,” Alderson tweeted, adding, “but you can also use the ‘Get user by UID’ endpoint. It will return all the users with a user id … starting with the letter of your choice. So you will have only 26 letters + 10 digits = 36 requests to do to get the full user database.”
He summed up the situation in a concluding tweet:
— Elliot Alderson (@fs0c131y) March 12, 2019
Speaking to Threatpost via Twitter direct message, Alderson said, “I’m a professional security researcher, I’m here to help them not the opposite.” But Wallace took the findings to be an attack and said he would pursue prosecution for hacking.
“As we have seen across the United States, conservatives particularly have come under attack for their political beliefs — verbally, physically, and electronically,” he wrote in an official response. He added, “We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attack, and will be reporting it to the FBI later today. We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.”
He also tweeted his displeasure:
TL;DR: No lost passwords, no breach of database, no data changed, minor problem fixed. We’re angry by the attempt, FBI notified.https://t.co/v59DExCI0F
— 63red (@63red) March 12, 2019
Alderson told Threatpost via Twitter DM that “what I did is pretty simple, no hack was required. I didn’t ‘break’ anything, there was no protection at all.”
In response to Wallace, the researcher tweeted, “I did not hack your app, I read the available source code and I used your unauthenticated APIs… By threatening me, a security researcher, you are threatening the whole #infosec community. I’m a professional and I’m not hiding. I’m staying at your disposal if needed.”
Threatpost also reached out to Pradeo Security for an analysis of the app. The firm found that the login and password are hardcoded (confirming @fs0c131y‘s discovery); and, the API used by the app doesn’t have any authentication mechanism (which also confirms @fs0c131y‘s discovery).
Further, Pradeo found that the app collects and sends over the network the following data: all the data typed in the app, location information, device identifier, OS version number, device manufacturer, battery level and hardware info.
And, the app has 10 code vulnerabilities that can lead to data leakage, denial of service and data corruption.
Wallace said that the exposed information has now been locked down – but the app has temporarily disappeared from app stores as of the time of writing, making it difficult to verify the statement. Wallace didn’t respond to Threatpost for this story.
This isn’t Alderson’s first tango with the digital side of Conservative America. In October he published a vulnerability in the Donald Daters app. The app, a MAGA-themed dating experience, turned out to be leaking users’ names, photos, personal messages and users’ authentication tokens.
David Richardson, senior director of Enterprise Product Management at Lookout, noted that unfortunately, it’s all too common for app developers to overlook security considerations and best practices in favor of getting into the market quicker.
“The mobile app ecosystem is great for enabling any individual to build an app from anywhere — even their garage — but when these apps and the supporting back-end infrastructure are built without security in mind,” Richardson told Threatpost. “As a result, they risk leaking data through insecure coding practices, insufficient encryption and insufficient authentication.”
On March 19, Alderson said that he had decided to remove all tweets related to his findings on the app:
I decided to remove all tweets related to the 63red disclosure. I didn't give them enough time to fix, it was an irresponsible disclosure and I apologize for that, it was not cool. Few days ago, I sent them a message and proposed my help, for free as usual, they didn't answer 1/3
— Elliot Alderson (@fs0c131y) March 19, 2019
This post was updated March 19 at 11:45 a.m. ET to reflect Alderson’s decision to remove his tweets as well as the analysis information from Pradeo.