September 14, 2016 | 6 min read
Trump Website Leak
The problem was that, if you asked real nicely, Trump’s asset repository was willing to hand out insider data. His team had bungled the settings on their Amazon S3 server, located at http://assets.donaldjtrump.com.s3.amazonaws.com.
After discovering this asset server’s existence, and my URL fuzzer being met with code 301 redirects instead of code 403 denials, I started digging. Because directory listing was disabled, there was no easy way to enumerate folder names within the asset bucket. I was running through a small dictionary of common folder names when I got a hit on a folder named “resumes”.
But this was still one step away from being a true leak. I needed more than just a folder name. I needed an actual downloadable file, and, due to the server being unwilling to provide a straightforward list of directory contents, I would need to correctly guess the name of a document before any successful download could take place.
Being the bright, young lad that I am, it occurred to me that there could be a few different naming schemes for files within a résumé directory. If an organized human was moving files into this directory, then perhaps the files would be named something like FirstnameLastname.pdf or Lastname,Firstname.docx. But guessing applicant names would be a complicated and rather tricky way to look for files.
I decided to cross my fingers and hope that whoever designed this system was using an automated script to move files into the résumé directory. So, what kind of name would an automated script assign? Well, probably something similar to “resume_1.pdf”.
With a head full of optimism, I quickly pointed my browser to http://assets.donaldjtrump.com.s3.amazonaws.com/resumes/resume_1.pdf. Bingo! I was met with a download dialogue window. The file contained a glut of personal details, work/education history, and references for a young person hoping to become an intern with the Trump campaign.
I didn’t spend too much time looking for additional résumés. Some basic filename fuzzing readily turned up 24 of them with names ranging from “resume2.docx” to “resume_9.pdf” and even “resumeDT.pdf”. Several redacted samples are pictured above this post.
Having confirmed my suspicions, and definitively proving that a leak of personally identifiable information existed, the next step had to be notifying the appropriate people in order to secure the data and fix the leak. That was the only ethical thing to do, even if it meant that I wouldn’t have much time to fully explore the rabbit hole.
Knowing that Trump’s team is active on Twitter, I decided to ping them on that platform via my rarely-used Twitter account, @VickerySec. There was no response, so I decided to reach out to a trusted journalist friend that has helped me secure data breaches on several occasions. She is known by the moniker “Dissent” and is the administrator of Databreaches.net (a site I highly recommend).
Dissent (aka @PogoWasRight on Twitter) was able to contact the right people and get word of the leak to Trump’s staff. From there, it didn’t take long for the proper server permissions to be applied. Check out her investigation here: https://www.databreaches.net/trumps-campaign-mute-about-data-security-fail
Ultimately this was an entirely avoidable mistake on the part of Trump’s tech staff. We’ll probably never know how bad the exposure really was or what other files I could have found. I have zero confidence that the campaign will be honest about that in whatever response they put out publicly (that’s if they do actually acknowledge the situation).
Let’s just hope that Donald’s team learned a good lesson here, and, if he is elected, that they are capable of guarding national assets better than their website’s assets.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery.
Stay tuned to the latest security news by visiting MacKeeper Security Watch blog with Chris Vickery.