Security Experts:

Hackers Could Have Hijacked Trump Campaign Email Server: Researchers

The official campaign website of U.S. President Donald Trump exposed information that may have allowed hackers to intercept emails and send out emails on behalf of the Trump campaign, according to security experts.

The issue was related to Laravel, a popular open source PHP web application framework. The framework includes a debug mode that allows developers to find errors and misconfigurations on their websites.

This debug mode should only be enabled during development, but many developers have failed to disable it once their website is live. Live websites that have the debug mode enabled can expose various types of backend information, including credentials and secret keys.

Comparitech researchers Bob Diachenko and Sebastien Kaul have scanned the web for websites that have the Laravel debug mode enabled and found over 760 sites. They estimated that roughly 10-20 percent of those sites exposed sensitive configuration data, including the Trump campaign website hosted at donaldjtrump.com.

According to Comparitech, Trump’s website exposed mail server information in clear text. This information could have been leveraged by malicious actors to intercept outgoing emails or send emails on behalf of the Trump campaign.

It’s unclear how long the debug mode was left enabled on Trump’s website, but it took roughly five days for the U.S. president’s campaign to address the issue after being notified.

“Even 24 hours is dangerous enough. Theoretically, anybody could use these credentials to impersonate the Trump campaign and send emails on behalf of email.donaldtrump.com,” Diachenko explained.

Contacted by SecurityWeek, the Trump campaign said the problem was fixed and claimed that nothing was at risk. The organization blamed it on outdated legacy code.

The fact that websites can expose sensitive information if the Laravel debug mode is left enabled has been known for some time. Last year, Diachenko and Kaul found 566 affected websites using the Shodan and BinaryEdge search engines.

*The article has been updated based on information received from the Trump campaign

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies

Related: Misconfigured Jenkins Servers Leak Sensitive Data

Related: Misconfigured Google Groups Expose Sensitive Data

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.