Will Glazier, Cequence Security Comments on Joe Biden Campaign App's Major Privacy Bug
Joe Biden's campaign app was flagged earlier this week for having a major privacy bug. The bug allowed anyone security savvy to look up sensitive voter information on millions of Americans, according to TechCrunch. This was an extreme case of security lapse.
Zack Whittaker, TechCrunch reports:
"The campaign app, Vote Joe, allows Biden supporters to encourage friends and family members to vote in the upcoming U.S. presidential election by uploading their phone’s contact lists to see if their friends and family members are registered to vote. The app uploads and matches the user’s contacts with voter data supplied from TargetSmart, a political marketing firm that claims to have files on more than 191 million Americans.
When a match is found, the app displays the voter’s name, age and birthday, and which recent election they voted in. This, the app says, helps users “find people you know and encourage them to get involved.”
While much of this data can already be public, the bug made it easy for anyone to access any voter’s information by using the app."
While this was certainly not intentional, this is the danger of poor application security hygiene at the highest level.
Will Glazier, Head of Cequence Security’s CQ Prime Threat Research Team had this to say about the incident:
“As the use of APIs has increased – both by developers and by malicious actors – API security efforts have lagged quite a bit behind API usage. In just the past few months, we’ve seen major API security incidents with MGM, Starbucks, Data Viper, Docker and now the Joe Biden app. As we’ve shifted to and expanded API-based architectures, it’s created new security vulnerabilities and expanded attack surfaces that are now firmly on hackers’ radars. While this incident does not appear to have been malicious, it did create an environment where opportunistic bad actors can easily access sensitive information. It’s critical for organizations to better discover, assess and mitigate the API vulnerabilities putting their data and reputations at risk.”