A security researcher has managed to find the resumes of prospective interns applying to work on Donald Trump's presidential campaign on his campaign website.
According to Chris Vickery, lead security researcher of the MacKeeper security research team, the campaign website exposed a number of CVs due to a misconfigured asset repository.
This meant that anyone that had direct links could access the files stored on an insecure Amazon S3 server.
“After discovering this asset server's existence, and my URL fuzzer being met with code 301 redirects instead of code 403 denials, I started digging,” said Vickery in a blog post.
“Because directory listing was disabled, there was no easy way to enumerate folder names within the asset bucket. I was running through a small dictionary of common folder names when I got a hit on a folder named ‘resumes'”.
The resumes contain details such as names, home and email addresses, phone numbers, and education and work experience.
Vickery added that the leak of data was “an entirely avoidable mistake on the part of Trump's tech staff.”
“We'll probably never know how bad the exposure really was or what other files I could have found. I have zero confidence that the campaign will be honest about that in whatever response they put out publicly (that's if they do actually acknowledge the situation),” he added.
“Let's just hope that Donald's team learned a good lesson here, and, if he is elected, that they are capable of guarding national assets better than their website's assets,” said Vickery.
Robert Page, lead penetration tester at Redscan, told SCMagazineUK.com that vulnerabilities like the one affecting the official website of Donald Trump are all too common, enabling hackers to bypass authorisation controls to access sensitive files.
“While in this instance, the breach appears not to have been particularly serious, intrusions like this can be significantly more damaging if hackers research site file naming conventions to conduct wider, more targeted brute force attacks.”
Lee Munson, security researcher for Comparitech.com, told SC that love him or hate him, Donald Trump has a real shot at the White House in the upcoming US elections. “Should that worry the security-conscious among you? - Hell yeah!”“Even if you are not concerned by his request to Russian President Vladimir Putin to cyber-attack his country to boost his chances of being elected, the fact that his own website allegedly has more leaks than Hillary Clinton's private email server should be enough to convince you that American information assets are at peril.”