Categories SecurityTech News

Website vulnerability left credentials exposed, including a Trump site

Numerous websites have recently experienced exposed credentials, according to researchers at Comparitech who worked in tandem with security researchers Bob Diachenko and Sebastien Kaul. As the recent post from Comparitech notes, the website vulnerability can be traced specifically to a PHP framework named Laravel that was left in debug mode on roughly 20 percent of the 768 websites with active Laravel sessions. Of the 20 percent of websites left in the debug mode, the most prominent of these is the one belonging to U.S. President Donald Trump.

Researchers discovered that a website for Donald Trump’s reelection campaign had been left in debug mode. They explain the consequences of this in the following excerpt from their research post:

A subdomain of Trump’s campaign website contained a mail server configuration exposed in plain text, visible from any web browser through the Laravel debug interface. It’s impossible for us to determine when debug mode was enabled, so we don’t know how long the data was at risk... The potential consequences of such an exposure are quite serious; Trump’s campaign website is used to solicit donations, after all. Attackers could have intercepted correspondence with Trump supporters or phish campaign contributors, among other crimes... To be clear, this is not a breach of user data; no user records were leaked. This exposure instead gave hackers an attack vector to potentially hijack mail servers, explore source code structure, find weak points, re-use passwords on other systems, and mount other types of attacks."

All parties affected by the website vulnerability, including the Trump campaign, were notified by Comparitech on October 11. The Trump campaign fixed the issue on October 16. It is unknown why a relatively simple issue to fix took so long to remedy considering the resources at the president’s disposal. Furthermore, it is rather embarrassing for all web developers, especially those on the Trump payroll, who left the PHP interface in debug mode. This is rudimentary knowledge and it should never have occurred in the first place.

Then again, most mistakes that lead to security issues tend to be rather avoidable ones.

Featured image: Flickr/ Gage Skidmore

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Facebook creating deep fakes — and for genuinely good reasons

Deep fakes are a catastrophe waiting to happen. Facebook’s attempt to create a tool that differentiates between real and fake…

1 day ago

Microsoft Intune gets a new streamlined user experience

Microsoft Intune is getting a bunch of new updates that will streamline the administration experience for users of the popular…

1 day ago

SD-WAN: Is this going to be your network of the future?

As businesses evolve into a SaaS/IaaS model for accessing applications, new network technology is crucial. SD-WAN is just such a…

1 day ago

Monitoring Exchange and the rest of your network to avert disasters

What you don’t know about Exchange and your network can come back to bite you. Monitoring Exchange is one way…

2 days ago

Quick tip: Removing warning messages from Azure cmdlets

Warnings are nice, except when they are annoying and unnecessary. Here’s a tip to show you how to remove warning…

2 days ago

Is the Group Policy Central Store still relevant in the age of Windows 10?

Having a Group Policy Central Store in Active Directory made life easier for administrators. But does it still work in…

2 days ago