A mistake made by website developers left an official re-election website for President Donald Trump open to attack. The error, impacting hundreds of other websites as well, is tied to a website development tool called Laravel, used to test sites before they go live.
The tool, accidentally left active on a slew of sites, would allow hackers to hijack the site’s email servers and intercept, send or read email messages sent from the site’s domain.
“The tool, a PHP framework called Laravel, includes a ‘debug mode’ that lets developers identify errors and misconfigurations before websites go live,” said researchers Bob Diachenko and Sebastien Kaul, working on the behalf of security firm Comparitech, in a report posted Thursday.
“The problem is that many developers fail to disable the debug mode after going live, exposing back-end website details like database locations, passwords, secret keys and other sensitive info,” they said.
The Trump domain that was left exposed is DonaldJTrump.com, a website used to solicit campaign donations and invite visitors to sign-up for Trump campaign emails. Diachenko said he discovered the exposed tool on a subdomain (leadops.donaldjtrump.com) of donaldtrump.com on Oct. 11 and at that time sent a flurry of emails to the site and other Trump-related website privacy contacts with no response.
On Oct. 15, he emailed Trump campaign manager Brad Parscale and got no response. The following day, researchers contacted NYPD Police Commissioner James P. O’Neill, also with no response. After contacting nearly a dozen additional people connected to the Trump campaign, on Oct. 16 the Trump team finally fixed the issue, according to researchers.
“It took them a week to finally close it,” Diachenko told Threatpost. “It is hard to tell for how long it was exposed for.”
In all, researchers discovered 768 websites with active Laravel debugging sessions. Researchers estimate that 10 to 20 percent of them leaked sensitive configuration data. Laravel is an open-source hypertext preprocessor (PHP) framwork used by developers to create and test web applications. PHP refers to the programming language used to build websites. According to research cited by Comparitech, about 135,000 use the Laravel tool.
“Even 24 hours is dangerous enough,” Diachenko is quoted in the report. “Theoretically, anybody could use these credentials to impersonate the Trump campaign and send emails on behalf of email.donaldtrump.com.”
In the Comparitech report, author Paul Bischoff, noted: “This exposure… gave hackers an attack vector to potentially hijack mail servers, explore source code structure, find weak points, re-use passwords on other systems, and mount other types of attacks.”
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic on Oct. 23 will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.