The majority of primary campaign websites of United States presidential candidates run code that can pose security and privacy risks to consumers, The Media Trust has discovered.
The security firm has monitored 11 websites during September and December 2019, and discovered that 81% of them execute code from third-party entities unmanaged by the candidate teams. Moreover, 6% of the domains executing on candidate websites were linked to malicious and/or suspect activity.
The monitored campaign websites are the ones of Joe Biden – joebiden.com; Cory Booker – corybooker.com; Pete Buttigieg – peteforamerica.com; Julian Castro – julianforthefuture.com; Kamala Harris – kamalaharris.org; Amy Klobuchar – amyklobuchar.com; Beto O’Rourke – betoorourke.com; Bernie Sanders – berniesanders.com; Elizabeth Warren – elizabethwarren.com; Andrew Yang – yang2020.com; and Donald Trump – donaldjtrump.com.
Although many candidates dropped out of the race, their websites continue to be active, drawing traffic and asking visitors to share their personal information.
In a newly published report (PDF), The Media Trust revealed that one of the analyzed websites directed consumers to media websites that served adware. All of the candidate websites allow tracking of consumers for at least 2 years, while 6 allow it for at least 20 years.
According to the report, over two-thirds of the executing code on a payment page was found to have no relevance to transactions. However, this unnecessary code can pose a serious security risk as it could introduce exploitable vulnerabilities.
Most of the code (95%) on Booker’s donation page is not relevant to payment processing and 56 distinct data tracking technologies were found to be executed on Warren’s donation page. Additionally, Klobuchar’s digital footprint and cookie use is three times larger than the next closest candidate website, the report reveals.
On average, The Media Trust explains, 54 domains from 89 vendors are executed on a candidate’s website. Between September and December, the number increased from 66 domains to 111, while that of vendors went from 38 to 70. All websites used Facebook, Google, and Twitter, except for donaldjtrump.com, where Twitter was not executing.
According to the report, consumers were exposed, on average, to 146 cookies when accessing a candidate’s website. The average number increased from 126 in September to 166 in December, but in Biden’s case, the increase was over 1000% (from 24 to 298 cookies).
“The change in cookie count indicates a ramp up in campaign outreach activity. The candidate is widening their target base and using more tracking capabilities to ensure their message repeatedly is placed in front of the right individuals,” The Media Trust explains.
Over 49% of the cookies had a lifespan of more than 1 year, but almost all candidates were observed dropping cookies with a 20-year lifespan in both September and December. Cookies on the Biden and Klobuchar websites have lifespans of 68 and 99 years.
The security firm also discovered that consumers were exposed to malicious activity, with the most recent incident detected in February 2020. In these incidents, the Klobuchar website linked to a news story hosted on two different media websites that delivered adware.
“Candidates—like enterprises—are responsible for the code their websites and mobile apps put on consumer devices. Regardless if this code is malicious or collecting personal data, the presence of unmanaged third-party code demonstrates vulnerabilities in candidate websites. This third-party code can be used to surreptitiously collect consumer information to target individuals with misinformation or distribute malware and bots for future attacks,” The Media Trust concludes.