A privacy flaw in Democratic presidential candidate Joe Biden The official campaign app made it possible for anyone to look up sensitive voter information about millions of Americans, a security researcher found.
With the campaign app Vote Joe, Biden supporters can encourage friends and family members to vote in the upcoming US presidential election by uploading their phone’s contact lists to see if their friends and family members are registered to vote. The app uploads the user’s contacts and compares them to voter data from TargetSmart, a political marketing firm that claims to have files on 191 million Americans.
When a match is found, the app will display the name, age, and birthday of the voter, and the last choices made. This helps users “find people you know and encourages them to get involved”.
However, the App Analyst, a mobile expert who detailed his findings on his blog of the same name, found that he could trick the app into retrieving a voter’s information by simply making a contact with the voter’s name on their phone .
Worse, he told TechCrunch, the app pulls in a lot more data than it actually shows. By intercepting the data flowing in and out of the device, he saw far more detailed – and confidential – voter information, including the voter’s home address, date of birth, gender, ethnicity, and political party affiliation like Republicans or Democrats.
The Biden campaign fixed the bug and released an app update on Friday.
“We were made aware of how our third-party app developer was providing additional fields of information from commercially available data that were not needed,” Matt Hill, spokesman for the Biden campaign, told TechCrunch. “We worked quickly with our supplier to fix the problem and remove the information. We are committed to protecting the privacy of our employees, volunteers and supporters and will always work with our suppliers to do this. “
A TargetSmart spokesperson said “a limited amount of publicly or commercially available data” is available to other users.
It is not uncommon for political campaigns to trade and share large amounts of voter information, called voter files. These contain basic information such as the name of a voter and the political parties with which they are registered. Although much of this data is public, political companies are trying to enrich their databases with additional data from other sources to help political campaigns identify and target key swing voters.
However, several security vulnerabilities involving these huge databases have challenged whether political corporations can keep this data safe.
It’s not the first time TargetSmart has been involved in a data breach. In 2017, a voter record compiled by TargetSmart of nearly 600,000 voters in Alaska was left on an exposed server without a password. And in 2018, TechCrunch reported that nearly 15 million records of Texas voters were found on an exposed and unsecured server, just months before the US midterm elections.
Last week, Microsoft warned that hackers backed by Russia, China and Iran are targeting both the 2020 presidential campaigns and their political advisors. Reuters reported that one of these companies, SKDKnickerbocker of Washington DC, a political advisor to the Biden campaign, was targeted by Russian intelligence, but that there was “no violation.”