Trump Campaign Website Left Open to Email Server Hijack
A new investigation by Comparitech found that 768 different websites, including one that is part of US President Donald Trump’s official re-election campaign, were running “debugging sessions” of website development tool Laravel, and 10 to 20% of those sites were leaking sensitive back-end data as a result.
Web developers can use Laravel to test their websites for bugs and security issues before putting the online. However, many developers fail to disable the tool’s “debug mode” when they are done testing. Comparitech discovered that this mistake can result in the exposure of “back-end website details like database locations, passwords, secret keys and other sensitive info,” that could be used by threat actors to take over the website. Bob Diachenko of Comparitech said that Trump’s campaign website DonaldJTrump.com leaked information that could have been used by anybody “to impersonate the Trump campaign and send emails on behalf of email.donaldtrump.com.” The Trump campaign resolved the issue only 5 days after the initial disclosure by Comparitech.