Trump fights the election: voter information leaked on the lawsuit site

Trump campaign's website, set up for self-reporting voters, had an SQL injection flaw that exposes personal data to anyone

Personal information on fraud reporting voters could have been accessed and scraped by anyone.

The U.S Presidential election results made Donald Trump unhappy, so multiple lawsuits in different states got filled, accusing polls in various states of corrupt results.^[1] One of them focused on Maricopa County, Arizona, was set up for voters to report fraud. However, the site was discovered to leak personal voter information, including names, addresses.^[2] It was later discovered that the DontTouchTheGreenButton.com website has SQL injection flaws that make it possible to collect voters' social security numbers and date of birth.

Trump alleged voter fraud, wanted to get proof that lawyers and campaign team that turn into legible lawsuits. The creation of such websites helped the team to gather information from voters that report any irregularities, but the platform was found to leak data of voters that claim about rejected votes.

Major data recording flaw noticed by site visitors

This voter fraud reporting site has a Google form that you can use to search for your name, and other details automatically appear by your name. Anyone can see that. The users themselves noticed the SQL injection vulnerability. Using the technique helps get personal information like names, addresses, birthdays, and social security numbers.

Reddit use^[3] that indicated issues said:

On a lark, I went to the site and was looking at it and started adding a made-up name and noticed I was being shown names and addresses of voters. I played around a little more and realized just how bad this looked.

Further analysis showed that the exposed API key and Application ID in the request led to the opportunity of running any queries and exposing voters data. This information can be easily scraped and stolen in bulk from the service. However, the API was removed from the site after initial reports and news articles.

A simple technique for any hacker to use

Information about voters was publicly available to anyone, but the privacy issue was with Hastily website bulk data collection.^[4] This leak of personal information raised questions about privacy and security. The site asks for names, addresses, SSNs, phone numbers, emails. Much detail gets revealed by anyone who wants to report the alleged voter fraud.

Unfortunately, the revealed exposure technique is simple enough, so hackers can get a lot of data and use it for later phishing scams, direct spam campaigns. Some reports state that many users tested the flaw and successfully accessed thousands of voters' personal information. It was achieved by randomly choosing parameters, combinations of letters, and running the flawed scripts.

The issue was reported to the Arizona Board of Elections and Maricopa county recorder. The Trump campaign team managed to fix the issue and removed the API from the lawsuit site. Unfortunately, it took over 12 hours. It means that any bad actors could scrape data from the site and store those details for malicious use at any given time. This is not the first time when an election campaign was popular in the cybersecurity field too.^[5]