The official campaign website of U.S. President Donald Trump exposed information that may have allowed hackers to intercept emails and send out emails on behalf of the Trump campaign.
The issue was related to Laravel, a popular open source PHP web application framework. The framework includes a debug mode that allows developers to find errors and misconfigurations on their websites.
This debug mode should only be enabled during development, but many developers have failed to disable it once their website is live. Live websites that have the debug mode enabled can expose various types of backend information, including credentials and secret keys.
Comparitech researchers Bob Diachenko and Sebastien Kaul have scanned the web for websites that have the Laravel debug mode enabled and found over 760 sites. They estimated that roughly 10-20 percent of those sites exposed sensitive configuration data, including the Trump campaign website hosted at donaldjtrump.com.
According to Comparitech, Trump’s website exposed mail server information in clear text. This information could have been leveraged by malicious actors to intercept outgoing emails or send emails on behalf of the Trump campaign.
It’s unclear how long the debug mode was left enabled on Trump’s website, but it took roughly five days for the U.S. president’s campaign to address the issue after being notified.
“Even 24 hours is dangerous enough. Theoretically, anybody could use these credentials to impersonate the Trump campaign and send emails on behalf of email.donaldtrump.com,” Diachenko explained.
SecurityWeek has reached out to the Trump campaign for comment and will update this article if we get a response.
The fact that websites can expose sensi ..