The official website of the US effort President Donald Trump revealed data, according to security experts, that may have allowed hackers to intercept emails and to send emails on behalf of the Trump campaign.
The problem was linked to Laravel, a popular web application framework for PHP open source. The software provides a debug mode, which allows developers to identify bugs and errors on their websites.
It should be allowed during development only, but many developers have neglected to deactivate it once their website is live. Live websites that are debugged will display different types of backend information, including passwords and secret keys.
Bob Diachenko and Sebastien Kaul, the researchers in comparison, have scanned the web for websites that require debug mode Laravel and found over 760 sites. They estimated that approximately 10-20% of these sites exposed confidential configuration information, including the Trump campaign site on Donaldjtrump.com.
According to Comparitech, mail server data were revealed to Trump’s website in clear text. This data could have been used to intercept outbound emails from malicious actors or to send emails on behalf of the Trump campaign.
It is unclear how long debug mode is left on the Trump website, but after the warning it took approximately five days for the campaign of the US president to resolve the issue.
“Only 24 hours is too risky. For principle, anyone could use this credential to represent the Trump campaign or send emails on behalf of email.donaldtrump.com, “explained Diachenko.
The Trump campaign, which was approached by SecurityWeek, reported that the issue had been solved and that nothing was in danger. The company criticized it for its obsolete heritage code.
It was known for some time that websites may display sensitive information if the Laravel debug mode is left enabled. Last year, Diachenko and Kaul found 566 websites using search engines from Shodan and BinaryEdge.
Source : HackerCombat