Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Hackers Could Have Hijacked Trump Campaign Email Server: Researchers

The official campaign website of U.S. President Donald Trump exposed information that may have allowed hackers to intercept emails and send out emails on behalf of the Trump campaign, according to security experts.

The official campaign website of U.S. President Donald Trump exposed information that may have allowed hackers to intercept emails and send out emails on behalf of the Trump campaign, according to security experts.

The issue was related to Laravel, a popular open source PHP web application framework. The framework includes a debug mode that allows developers to find errors and misconfigurations on their websites.

This debug mode should only be enabled during development, but many developers have failed to disable it once their website is live. Live websites that have the debug mode enabled can expose various types of backend information, including credentials and secret keys.

Comparitech researchers Bob Diachenko and Sebastien Kaul have scanned the web for websites that have the Laravel debug mode enabled and found over 760 sites. They estimated that roughly 10-20 percent of those sites exposed sensitive configuration data, including the Trump campaign website hosted at donaldjtrump.com.

According to Comparitech, Trump’s website exposed mail server information in clear text. This information could have been leveraged by malicious actors to intercept outgoing emails or send emails on behalf of the Trump campaign.

It’s unclear how long the debug mode was left enabled on Trump’s website, but it took roughly five days for the U.S. president’s campaign to address the issue after being notified.

“Even 24 hours is dangerous enough. Theoretically, anybody could use these credentials to impersonate the Trump campaign and send emails on behalf of email.donaldtrump.com,” Diachenko explained.

Contacted by SecurityWeek, the Trump campaign said the problem was fixed and claimed that nothing was at risk. The organization blamed it on outdated legacy code.

Advertisement. Scroll to continue reading.

The fact that websites can expose sensitive information if the Laravel debug mode is left enabled has been known for some time. Last year, Diachenko and Kaul found 566 affected websites using the Shodan and BinaryEdge search engines.

*The article has been updated based on information received from the Trump campaign

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies

Related: Misconfigured Jenkins Servers Leak Sensitive Data

Related: Misconfigured Google Groups Expose Sensitive Data

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...