An HTTP 301, you say? Oh deary me
Misconfiguration of Donald Trump’s campaign website left the personal information of interns – and perhaps more – accessible to casual snooping.
Staffers of the real estate mogul-turned-US presidential candidate “bungled the settings on their Amazon S3 server”, which according to MacKeeper security researcher Chris Vickery, the security researcher who discovered the recently-resolved flaw.
The practical upshot of the snafu was that anyone who correctly guessed folder and file names would have been able to download sensitive information without getting prompted for a password.
Having confirmed the issue, Vickery notified Team Trump via a contact at Databreaches.net. Proper server permissions were applied soon thereafter.
Vickery prioritised notification over exploring the full extent of the problem.
“Ultimately this was an entirely avoidable mistake on the part of Trump’s tech staff,” Vickery concludes. “We’ll probably never know how bad the exposure really was or what other files I could have found.”
During his campaign Trump has made great play over rival Hillary Clinton’s use of an insecure personal email server during her period of US Secretary of State.
The Trump’s campaign mistaken web server configs are embarrassing but not really damaging politically, unlike the Clinton email server issue.
Independent security experts note that the mistakes may be Team Trump are all too commonplace across many industries.
“Vulnerabilities like the one affecting the official website of Donald Trump are all too common, enabling hackers to bypass authorisation controls to access sensitive files,” explained Robert Page, lead penetration tester at Redscan.
“While in this instance, the breach appears not to have been particularly serious, intrusions like this can be significantly more damaging if hackers research site file naming conventions to conduct wider, more targeted brute force attacks.” ®
Vickery has previously uncovered how similar database configuration errors have revealed more than was intended about US and (in a separate case) Mexican voters.
And – just to preempt talk of a possible Trump-themed solution – building a fireall between the two databases wouldn’t be much help.