A security flaw on a website set up to gather evidence of in-person voter fraud in Arizona would have opened the door for SQL injection and other attacks.
The bug, found on a site set up by the Trump campaign called dontpressthegreenbutton.com, was discovered by cybersecurity pro Todd Rossin, almost by accident.
The researcher saw a news story about alleged voter fraud in Maricopa County, which is home to Phoenix, Scottsdale and the main bulk of Arizona’s population. The article explained that the Trump campaign has filed a lawsuit alleging that voters were tricked by poll workers into submitting ballots with errors, overriding the system by pressing a green button. The news article linked to the site associated with the suit, dontpressthegreenbutton.com, which said it is collecting legal, sworn declarations of such fraud to be used as evidence.
Rossin clicked on the site and started poking around.
“I went to the Green Button site and made up a name, and [then] saw all these other voters’ names and addresses pop up,” Rossin told Threatpost. “I wasn’t looking for it but was surprised to see it.”
Rossin shared his findings on Reddit under his username BattyBoomDaddy, and the post quickly gained traction, racking up nearly 250 comments and more than 7,600 upvotes so far.
“Someone…ran a script to test out how easy it would be to pull the data and change the parameters to start with the letter ‘A’ and to stop at the first 5,000 entries – and bam, the first 5,000 names and addresses,” Rossin explained. “Someone else used a SQL injection to pull names, addresses, dates-of-birth (DOBs) and last four of Social Security numbers.”
Plenty of voter data is public in Arizona – but Social Security numbers and DoBs are supposed to be kept confidential.
API and SQL Injection
Rossin told Threatpost that he, along with others, reported the breach to the Maricopa County Elections Department.
“This is a perfect example of ‘rushing to market,’ as it is clear that this site was rushed with little to no thought given to security,” Ray Kelly, principal security engineer at WhiteHat Security, told Threatpost. “For example, a simple automated security scan would certainly have found the SQL-injection vulnerability in minutes and prevented the sensitive data from being pulled from their database.”
Infosec professional Richey Ward saw Rossin’s post and decided to do a little digging of his own. Ward shared his findings on Twitter, where he explained that he was able to access full names and addresses of 163,000 voters, tagging the Maricopa County Elections Department. While this information is made publicly accessible to campaigns, Arizona law prohibits it from being shared via the web.
“Tracing this to a Algolia API call is trivial, alongside API keys,” Ward wrote. “This allows anyone with the keys to query the data outside the website.”
Just hours later, Ward found that the API was taken down and no longer accessible.
“I was happy that people recognized it was a big deal,” Rossin added. “I also looked up Arizona law on it, and the law specifically says that the information is not to be distributed, and especially says not on the internet.”
And while the obvious security vulnerabilities associated with the Green Button site have been addressed, Rossin said the site is still far from secure.
“Yes, they pulled the API down,” Rossin told Threatpost. “It still has very lax security.”
Rejected Voter Lawsuit
Threatpost hasn’t been successful in multiple attempts to contact the attorney behind the Green Button lawsuit, Alexander Kolodin, or his firm, Kolodin Law group.
The security issue comes to light amid attacks targeting voters and voter data. Just a month ago, in the leadup to the election, voters were victimized by a phishing lure trying to convince them to give up their information. And election cybersecurity more generally is a crucial point of focus for campaigns and law-enforcement officials. It’s up to campaigns to make sure they’re keeping their eye on security in all phases of their outreach.
“Looking at the evidence so far, it does indeed look like an issue for voter-data exposure,” Brandon Hoffman, CISO at Netenrich, said about the site. “These political campaigns, in their haste, are doing more damage to people than the good they can hope to deliver. While everybody understands the desire and need for transparency and a fair outcome for all, they also have the utmost responsibility to voters to keep our information protected if they plan to use it.”
Despite the reported security vulnerabilities, the dontouchthegreenbutton.com site assures visitors, “The Republican National Committee and Donald J. Trump for President Inc. will not disclose personally identifying information except as required by law.”
Netenrich added although this particular breach is associated with the Trump campaign, neither political party is effectively protecting voter data. In September, the official application of the Joe Biden campaign was found to have a privacy issue.
The Vote Joe app allows users to share data about themselves and their contacts with a voter database run by Target Smart. The App Analyst noted at the time that “an issue occurs when the contact in the phone does not correspond with the voter, but the data continues to enrich the voter database entry. By adding fake contacts to the device, a user is able to sync these with real voters.” The issue is now resolved.
“Both campaigns have now provided exposures of data for voters with no apparent ramifications,” Netenrich said. “If a lay person put up a website leaking Social Security numbers and addresses of people, they would likely be in jail and under litigation. The companies and campaigns that are using personally identifiable information of Americans must take the time and diligence to protect that data.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.