Official “Vote Joe” App Security Flaw Leaks Private Data Of All 250,000 Users

By , in Current Events Politics on . Tagged width: ,

[Guest Post] Catboy is a conservative Gen-Z college student in his early twenties with years of experience in software engineering, application/network security, and product design.

In the vast majority of Joe Biden‘s never-ending stream of screw-ups on the campaign trail, many of his decisions are not yet impacting voters at home. Unless, of course, his mobile application leaks data about hundreds of thousands of Americans via his campaign’s very own “Vote Joe” app.

What is the Vote Joe App?

Vote Joe, the Biden-Harris’ attempt to appeal to the youth, is a sleek mobile application (admittedly sleeker than the competition’s) that aims to get people to annoy their friends to vote, politically charge and already-over-politicized nation, and turn ordinary folks into telemarketers, with a leaderboard, points, and a leveling system to boot.

My main development laptop broke, and as COVID restrictions have delayed Apple for weeks, I decided to kill some time by digging into what the application does and the code that powers it.

All debugging and requests made are for my own personal information or information that is already public, and falls squarely inside the bounds of what is allowed by the CFAA (Computer Fraud and Abuse Act). Requesting the data of other users may have you facing charges. Don’t do it.

So what’s the problem?

To begin, there is usually a lengthy process to even attain the code that powers a mobile application. Companies don’t want you seeing it, and neither does Apple. Thanks to jailbreaking, the process of breaking out of the numerous security measures Apple has in place for their mobile devices, most of the buck of making sure applications are secure fall to the developers, or in his case, Joe Biden and his staff.

As we all know, they’re fairly incompetent.

To be fair, the application wasn’t created by Joe Biden and his team directly, but a company based out of Somerville MA called OutVote (https://outvote.io). Outvote is self-described as an application for progressives to canvass, act, and connect to get the politicians they like elected. Joe Biden most likely partnered with this organization to create a new mobile application, but it turns out they lazily tacked-on to their existing application to create “Vote Joe.” The codebase is almost identical except that there are a few Biden-specific edits shoved into the Biden version.

And what happens when developers get lazy and don’t think things through?

You get data leaks.

My curiosity for the app stemmed from the fact you could upload your contact book and get tons of information about each contact entry. For example, each person in my contacts now had a hometown, an age-range, a party affiliation, and a voting history. None of my contacts know I requested this data, never mind giving permission for it. Now, this isn’t specific to the Biden application, voter rolls exist and are (somewhat) public information in some states, but not in all of them.

https://www.ncsl.org/research/elections-and-campaigns/access-to-and-use-of-voter-registration-lists.aspx

Many states limit this data to political parties (of which Biden is, of course, a part of) for legitimate campaign uses. What happens when all of this data, regardless of state, is accessible to anyone? Without requesting it from the state?

Some might call that doxxing – Imagine this data getting into the hands of Twitter and TikTok.

So what’s the process of getting this information? Vote Joe asks for a first name, last name, age range, and state. However, if you don’t use the Vote Joe app and instead submit an HTTP request outside of the app, you just need a first and last name, and the state. From that you can get every single person with that name in that state, their hometown, age range, party affiliation, and voter history.

But wait – there’s more!

If you shrugged that one off as “it’s mostly public information anyways,” trust me that was the appetizer, the mozzarella sticks to the chicken parm that’s headed your way.

So I decided to look into my profile. On the page it happened to say “Team Size: 1, Points: 0, Actions: 0” – it’s weird how I never created a “team” but I shrugged It off. The team name was my first and last name, “Catboy Presidente”

The leaderboards has teams too, ranked by points for a truly game-ified democracy. It showed the first 34 teams, with names like “Amy Klobuchar’s Team,” “Muslims for Biden,” “Soul Squad,” and “Women for Biden.”

No “Network Security Engineers for Biden” – maybe there should be.

In the code for the application, there are parts that make out calls to the internet to power things like leaderboards, teams, profiles, etc. A common one to get the current user’s profile was there:


makeRequest("/user", {method:'GET'})

Repeating that request in a web browser gave me my user ID, a number used to identify a user, sometimes in lieu of a username or email address.

{
   "id": "249586"
}

There was also a request to get the leaderboards:

makeRequest("/campaigns/831/leaderboards", {method:'GET'})

(831 is the ID for Joe Biden in OutVote, remember when I said they just tacked Vote Joe onto their existing application?)

[
      {
           "id": 129503,
           "name": "Women for Biden",
           "join_code": "649053",
           "team_leader": {
                    "first_name": "Carissa",
                    "last_name": "Smith"
            }
       },
       {
          "id": 129515,
          "name": "Young Americans for Biden",
          ...
        }
        ...
]

Huh. That team ID kinda looks like my user ID, doesn’t it?

In the code there was a way to get details about the teams in the above request.

makeRequest("/teams/" + id, {method:'GET'})

What happens if I replace the ID with my user ID, “249586”?

{
    "id": 249586,
    "name": "Catboy’s Team",
    "join_code": "99999XX",
    ...
    "owner": {
        "first_name": "Catboy",
        "last_name": "Presidente"
    }
},

HOLY SHIT. From that experiment we learned that users and teams are one in the same. Unfortunately for everyone registered to the app, that ID can be any number between 1 and 250,000 (the number of users registered in the app just to drop that little statistic on you), and it will return that user’s first and last name – and all other associated data with the user – just like it returned “Catboy Presidente”.

So there you have it, two deadly flaws in a lazy application made by a lazy company for sleepy Joe Biden. 250,000 names with associated activity levels leaked alongside countless others in voter rolls.

Godspeed all you cool cats and kittens.