The American Presidential candidate Donald Trump is known for his frequent use of social media or sometimes security breaches that take place on his hotel’s servers and election campaign website. Now, his official website is found leaking personal data related to those who applied for the internship at his election campaign.
Information leaks from Trump’s asset repository
Chris Vickery, a security researcher from Mackeeper, was the one to discover this issue which has led to the security team of Trump’s campaign to get more cautious than it usually is. Although the information leaks were related to the resumes of interns who have expressed interest in working for Trump’s campaigns and as such are not that critical, it still shows the disregard that the business magnate has for such matters.
A closer look at the incident
Vickery explained that the resumes have been found on Amazon’s cloud server and that the website itself was badly configured. The misconfiguration allowed Vickery to access the asset repository in which the resumes of the interns were stored. The actual lead that helped Vickery realize the weakness was the fact there was code 301 error rather than a 401 denial. This made him curious and thereby stumbling upon the folder containing resumes after playing a bit with the website.
“After discovering this asset server’s existence, and my URL fuzzer being met with code 301 redirects instead of code 403 denials, I started digging. Because directory listing was disabled, there was no easy way to enumerate folder names within the asset bucket. I was running through a small dictionary of common folder names when I got a hit on a folder named ‘résumés’,” according to Vickery’s blogpost.
The breach is not uncommon in such cases where the website has been badly misconfigured. It only takes an attacker or two who have the skills to breach the security and the make the security team realizes that their mishap can lead bigger problems. Not to mention that we are talking about a team who works for someone who can be the next president of the United States.
Although, the information that was accessed only related the names, employment history and other things that one finds on a resume. Vickery told that he had stopped playing with the website, otherwise he might have got some more serious information. This time, it was perhaps to warn the security guys of Trump’s campaign to pay more attention to what they do before they get fired ruthlessly.
“Sucks that it was up for who knows how long, but my info is already in the hands of about every telemarketer and spam emailer in the world, Vickery told MotherBoard.”
Reaction of the victims
One of the interns who was made aware that his information has been leaked as such simply stated that he is not too surprised as he has given away resumes to perhaps a number of spammers and other online marketers for that matter.
Trump – the usual target
The breach may not be the first of its kind as previously too, Trump has been the victim of various hacks with the most recent one being by Anonymous and other hackers who got hold of this payment information.
As of now, the breach is typical for someone who cares mostly about business. However, let’s just say that if Trump gets elected, his people better get more serious about security or who knows what can happen.MacKeeper /Michael Vadon/Flickr
Suggest ideas, report typos and corrections to [email protected]