Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Democrats Privacy

A Bug In Joe Biden's Campaign App Gave Anyone Access To Millions of Voter Files (techcrunch.com) 83

schwit1 shares a report from TechCrunch: A privacy bug in Democratic presidential candidate Joe Biden's official campaign app allowed anyone to look up sensitive voter information on millions of Americans, a security researcher has found. The campaign app, Vote Joe, allows Biden supporters to encourage friends and family members to vote in the upcoming U.S. presidential election by uploading their phone's contact lists to see if their friends and family members are registered to vote. The app uploads and matches the user's contacts with voter data supplied from TargetSmart, a political marketing firm that claims to have files on more than 191 million Americans.

When a match is found, the app displays the voter's name, age and birthday, and which recent election they voted in. This, the app says, helps users find people you know and encourage them to get involved." While much of this data can already be public, the bug made it easy for anyone to access any voter's information by using the app. The App Analyst, a mobile expert who detailed his findings on his eponymous blog, found that he could trick the app into pulling in anyone's information by creating a contact on his phone with the voter's name.
The Biden campaign fixed the bug and pushed out an app update on Friday.

"We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed," Matt Hill, a spokesperson for the Biden campaign, told TechCrunch. "We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers and supporters will always work with our vendors to do so."
This discussion has been archived. No new comments can be posted.

A Bug In Joe Biden's Campaign App Gave Anyone Access To Millions of Voter Files

Comments Filter:
  • by HotNeedleOfInquiry ( 598897 ) on Tuesday September 15, 2020 @05:58PM (#60509454)
    Why did Biden's campaign have access to all this sensitive material? The answer is simple. Voting records are public information in the US. Go down the the county elections office and ask to see it. It's there for the taking.
    • Agreed. Looking into this, it is a big nothing burger. The Russians are probably laughing at every faux pas while they silently hack into more sensitive systems.
    • by skids ( 119237 )

      Yeah it's not like you can't get someone's date of birth fairly easily, but...

      This is a good "learning moment" for anyone involved in contracting an app developer. App companies don't know crap about appropriate privacy. You have to review what they did. Do not assume they have anything resembling common sense.

      (If you're very lucky, you'll actually get a functional App. Maybe even on time. From what I've seen that's less than half the time, though.)

      • Its *scary* what I've had to deal with as a developer in the past. Customers giving me APIs with literally no authentication but able to read off credit cards which where stored locally FOR SOME REASON. I'd complain and say "hey, ah you realise that you've back doored the credit card db and your not actually supposed to store credit cards anyway?". They'd always just brush it off with something like "Nobody will find it, its a non standard port!" or something. As a freelancer I'd always resign at that point

        • by skids ( 119237 )

          Good on you for sticking to your guns... I hope that doesn't set you back too much financially. For every one of you there seem to be 10 contractors that can barely manage to drool on their keyboards long enough to produce an actual app, so those who swoop in after you resign probably lead the customer in circles for months on end.

          Fortunately for me (not a dev, but I face similar circumstances where it's painfully obvious next to nobody else in my position is handling data securely) my employer lets me spe

          • God its not like it matters much. Im utterly hopeless at estimation so I have a tendency of having to put in lots of unpaid labor just so I can make good on my word and get shit done. I suck at business so whats a few lost contracts. If I was a bit less honest (or a bettter estimator) Id be rolling in fat stacks by now. Instead im just living hand to mouth

    • Re: (Score:2, Insightful)

      by Truth_Quark ( 219407 )
      It matters that they support Biden.

      Now efforts can be made to de-register them.
    • by Luthair ( 847766 )

      For most states its available to the public, otherwise academics, political parties, candidates (even that guy you've never heard of). https://www.ncsl.org/research/... [ncsl.org]

      This almost a non-story in reality.

    • by Rhipf ( 525263 )

      Also, the Biden campaign didn't have access to the data (well not directly anyway). They were using a third party (TargetSmart) to supply the data to the app.

      Is this:

      The App Analyst, a mobile expert who detailed his findings on his eponymous blog, found that he could trick the app into pulling in anyone's information by creating a contact on his phone with the voter's name.

      really a bug? The app is supposed to pull up the data of anyone in your contact so if you add a contact shouldn't that new contact's information be available? Now maybe the actual bug is that too much information is being shown for all contacts that you look up but the summary makes it look like the quoted statement is the bug that was found. T

  • Even without the bug, the whole concept is horribly intrusive. Yuck.

    • But isnt it intrusive to badger friends and family to vote (LIKE YOU)
    • Re: (Score:1, Troll)

      by rtb61 ( 674572 )

      It is data mining, they are after two bits of information, who is registered to vote and the second bit, but does not vote. So the corporate DNC CAN POSTAL VOTE FOR THEM AND WIN.

      A data analysis of incoming postal votes should be made. Those who did not vote for over two elections cycles and all of a sudden made a postal vote. A sampling of ten thousands should be taken and asked if they actually did make that postal vote or the alternate it is printed out and posted, a mass printing and posting. Those pos

      • Re: (Score:2, Flamebait)

        by skids ( 119237 )

        Man you guys are desperate, trying to build an entire alternate reality just to keep the Golden Boy in office. When we watched that idiot dubya get elected with massive poll suppression, we at least valued the peaceful transition of power enough not to try to foment a revolution.

      • by Rhipf ( 525263 )

        At least the DNC isn't telling their supporters to submit mail-in votes and also go to a polling station and do in-person voting. https://www.cbsnews.com/news/t... [cbsnews.com]

  • Anyone can download the old version of the app from an archive and exploit the bug.
    • by WankerWeasel ( 875277 ) on Tuesday September 15, 2020 @06:10PM (#60509486)
      Those voting records are publicly available. Anyone can get that information without any need for an app to do so. Head down to your local government office and ask.
      • Scale matters.

      • There's a difference between someone being interested enough to make the effort to access public records and an app actively encouraging people to get voting history of their family and friends so they can harass them. This does feel like it's crossing a line despite the data being public and freely available.

        • I agree with you. But the severity of the crime should at least be compared to other similar practices, even those not privacy related.

          Take apps like dine and dash(I think is ehat its called), that use publically available menus of restaurants and make them available in their app. They didnt work up partnerships with every restaurant, and yet those restaurants potentially lose face because a driver let the food get cold before delivering.

          Not suggesting they are the same in severity, just highlighting tha

        • by Rhipf ( 525263 )

          So is this same data available to both parties?
          Do both parties take advantage of these public lists to "harass" strangers to vote?
          Is this "crossing a line despite the data being public and freely available" also?

  • Way to go Joe.
  • by Hizonner ( 38491 ) on Tuesday September 15, 2020 @08:20PM (#60509782)

    Frankly, any user who uploads a contact list to anything without the specific permission of everybody on that list is a piece of shit... and should probably be subject to every kind of fine and penalty that you'd apply to a corporation that sent people's data to random places with no permission or discloser. Why does a random business associate or "friend" get a pass for doing things that a Web site would get headlines by doing? ... and the functionality pattern "match all of your contacts against this or that kind of list" is pretty fucking creepy in itself. It could be done done locally, using various cryptography to assure that only the user learned which contacts matched, and the user didn't learn anything about anybody who wasn't already a contact... and it would still be unacceptable.

    "Contacts" is not even a kind of access that a mobile app should be able to request.

  • Or is it a feature?

  • by backslashdot ( 95548 ) on Tuesday September 15, 2020 @08:56PM (#60509876)

    Back in the 1980s I was an elite hacker and obtained a printed compilation of everyone in my town's name, address, and phone number.

  • It's Drumpf who's old and incompetent and evil and something something, not VigorousAndManlyJoe(TM)
  • that said, good on his campaign, that they were notified, and fixed it, and pushed out the fix ASAP?

    Now, if only for-profit companies would be half that fast.

You know you've landed gear-up when it takes full power to taxi.

Working...