A security researcher has managed to find the resumes of prospective interns applying to work on Donald Trump’s (or is that Drumpf?) presidential campaign on his campaign website.
According to Chris Vickery, lead security researcher of the MacKeeper security research team, the campaign website exposed a number of CVs due to a misconfigured asset repository.
This meant that anyone that had direct links could access the files stored on an insecure Amazon S3 server.
“After discovering this asset server’s existence, and my URL fuzzer being met with code 301 redirects instead of code 403 denials, I started digging,” said Vickery in a blog post.
“Because directory listing was disabled, there was no easy way to enumerate folder names within the asset bucket. I was running through a small dictionary of common folder names when I got a hit on a folder named ‘resumes’”.
The resumes contain details such as names, home and email addresses, phone numbers, and education and work experience.
Vickery added that the leak of data was “an entirely avoidable mistake on the part of Trump’s tech staff.”
“We’ll probably never know how bad the exposure really was or what other files I could have found. I have zero confidence that the campaign will be honest about that in whatever response they put out publicly (that’s if they do actually acknowledge the situation),” he added.
“Let’s just hope that Donald’s team learned a good lesson here, and, if he is elected, that they are capable of guarding national assets better than their website’s assets,” said Vickery.
This article originally appeared at scmagazineuk.com