Some of us at Insightus sat down together this morning to draft a blog post aimed at clarifying, for non-techies, precisely what kind of information is and is not contained in the massive leak of the (once, but no longer) super-secret GOP database profiling 200 million American voters — including, most likely, you. Frankly, that draft post wasn’t shaping up to be very interesting, because really pretty much all of the voter information leaked out isn’t all that interesting either...although that’s not to say you shouldn’t be offended by the leak anyway.
But while we were writing, a technical question arose that we thought might be fairly easy to answer via some deep googling. And thereby we stumbled upon something really interesting — evidence strongly indicating that the GOP’s leak (which was actually more like a firehose) has been ongoing for a lot, lot longer than the party and its contractor have so far been willing to admit.
Here’s what the GOP’s contractor, Deep Root, is currently saying about the duration of the security vulnerability that exposed 200 million Americans’ personal information on the web (source: Washington Post):
Deep Root co-founder Alex Lundry said the data, which included proprietary information as well as publicly available voter data provided by state government officials, has been secure since new protocols were put into place on June 14. The exposure began on June 1, when Deep Roots Analytics adopted updates that accidentally stripped away the password protections on the files
Yeah, about that whole “June 1” thing….our pretty obscure Google search revealed evidence that has apparently been sitting around since last year, indicating that the front door to the GOP’s secret voter database has most likely been wide open since sometime last year:
What we see here is that at least as far back as October 20, 2016, Google’s web crawler (and, thus, likewise the world at large) was able to access documentation and/or web forms of the GOP’s API for a database containing some or all of the exact same field names as are found in Vickery’s discovery (including field names “vh12g,”“vh07p,”vh08pp,”“rncid,”“jurisdictionvoterid” and more).
When you click on those Google hits today, you’ll receive only a 404 (Page Not Found) message (indicating that the leak has now been closed), but that message is itself informative: it is in the exact format used by Amazon AWS when one tries to access a nonexistent static web page hosted in an AWS S3 bucket. And if, instead, you go to Google’s cached version of that page (dated April 21, 2017), you’ll find an Amazon AWS login form. You can try all of this yourself by googling the phrase “VH12G”“Swagger UI” (including the quotation marks).
[….]
If that’s so, then it is quite possible that Vickery wasn’t the first guy to find that door wide open.
He was merely the first good guy.
I hope you’ll find our full report an interesting and informative read. It’s a lot less technical than the quote above might suggest.
Fight like heaven, y’all.