A bug in Joe Biden’s official campaign app may have exposed the personal information of millions of Americans, according to security researcher the App Analyst. One of the features of the Vote Joe app allows users to sync their phone’s contact list with the software to see if their friends and family have registered to vote in the upcoming presidential election. When it finds a match, the app displays the person’s name, their approximate age and birthday, as well as a list of the recent elections they voted in.
The data is provided by TargetSmart, a company that claims to have information on approximately 191 million American voters. The idea here is that Biden supporters will use the feature to leverage their existing network in support of their candidate. However, the App Analyst found they could use that same feature to get the software to share someone’s personal information simply by creating a contact in their phone with that person’s full name.
While someone could get some of that same information through other means, the Vote Joe app trivialized obtaining it (among other issues, the software also doesn’t require users to verify their email). Moreover, the App Analyst found Vote Joe pulls in more data than it displays through its user interface, including what seems like a guess on TargetSmart’s part whether a person voted for the Democratic or Republican presidential candidate in a particular election.
The Biden campaign says it fixed the bug on Friday when it rolled out an update for the app. “We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed,” a spokesperson for the campaign told TechCrunch. “We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers and supporters and will always work with our vendors to do so.” Notably, the campaign’s website reveals it’s hiring a cybersecurity analyst, in addition to a cybersecurity manager.
As TechCrunch notes, this isn’t the first time data from TargetSmart may have leaked online. In 2017, a cache of nearly every registered voter in Alaska, totaling approximately 600,000 individuals, was exposed through a server misconfiguration by a third-party firm that had access to the data. That information is something that state-sponsored hackers could use to sway an election. It’s also not a hypothetical threat either. Microsoft recently warned that Russia, China and Iran are actively trying to interfere in the 2020 elections. The company said the “majority” of attacks on both the Joe Biden and Donald Trump campaigns had failed, but that hasn’t stopped those groups from continuing their efforts.