Access credentials for Campaign Sidekick app, used by Republican campaigns for voter contacts, surveys and canvassing, were exposed in a code repository within a publicly accessible .git directory, a version control system that records code base changes during software development so that developers can work from the same code.
“The same operations that make git useful for software development, however, also make it possible for code to be exposed when self-hosted git folders are misconfigured,” according to researchers at UpGuard who discovered the repository in February and reported in a blog post that it has since been secured. When a .git directory is configured for public accessibility, as was the case for files hosted on campaignsidekick.vote, anyone in the world can view all code and its history.”
Source code and credentials for the GOP app – including code change history since November 2016 – were found in the directory. “Additionally, the data exposed in this project included credentials for accessing the CPanel (website administration software) and Secure File Transfer Protocol servers of another U.S. elections-related company, Voter Gravity,” the researchers wrote. The scripts reveal how data was collated from sources like Facebook and “included identifying details of software developers working on the project who were located within, and residents of, India.”
Please register to continue.
Already registered? Log in.
Once you register, you'll receive:
The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.
Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.
SC Media’s essential morning briefing for cybersecurity professionals.
One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.