A newly released 63red Safe mobile app that aims to help wary Trump supporters find “safe” and conservative-friendly places to wear Make America Great Again (MAGA) gear turns out to have a host of security issues, according to one researcher.
Meanwhile, Scott Wallace, the Oklahoma-based mobile app developer behind 63red Safe (which is described on Google Play as a Yelp-like app designed “to keep conservatives safe as they eat and shop”) has not taken kindly to the findings. He’s accusing the researcher of hacking his database and has threatened legal recourse.
The French security researcher, who goes by Elliot Alderson (just like the main character in Mr. Robot), tweeted out his findings earlier this week.
Alderson said that in taking a look at the publicly available source code, he found that Wallace had implemented an open API in order to communicate with the 63red Safe server, which contains the app’s database. The issue is that API has no log-in protection.
“In this case, they ‘forgot’ to implement an authentication mechanism,” Alderson tweeted. “It means everybody can use their API, it’s open bar!”
He also discovered that there’s a list of API endpoints in the app’s source code, making it possible for someone with a bare minimum of software engineering skills to more easily access user data stored on the server. This includes profile IDs, when the profiles were created, profile pictures, the number of people a user follows and is following, UIDs and email addresses. It’s also possible to block users and create new profiles, he said.
Alderson said that he was able to see that 4,466 persons created a profile on the app. He said he didn’t download the database, but he noted that it was possible to use two specific APIs requests to obtain the information.
“[Use] the ‘Get user by ID’ endpoint and do 4,466 requests to get all the user data,” Alderson tweeted, adding, “but you can also use the ‘Get user by UID’ endpoint. It will return all the users with a user id … starting with the letter of your choice. So you will have only 26 letters + 10 digits = 36 requests to do to get the full user database.”
He summed up the situation in a concluding tweet:
Conclusion: Do not use this app, your personal security is at risk.@63red In order to #MAGA, you can start by learn how to code an application pic.twitter.com/3qwCHO90bO
— Elliot Alderson (@fs0c131y) March 12, 2019
Speaking to Threatpost via Twitter direct message, Alderson said, “I’m a professional security researcher, I’m here to help them not the opposite.” But Wallace took the findings to be an attack and said he would pursue prosecution for hacking.
“As we have seen across the United States, conservatives particularly have come under attack for their political beliefs — verbally, physically, and electronically,” he wrote in an official response. He added, “We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attack, and will be reporting it to the FBI later today. We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.”
He also tweeted his displeasure:
TL;DR: No lost passwords, no breach of database, no data changed, minor problem fixed. We’re angry by the attempt, FBI notified.https://t.co/v59DExCI0F
— 63red (@63red) March 12, 2019
Alderson told Threatpost via Twitter DM that “what I did is pretty simple, no hack was required. I didn’t ‘break’ anything, there was no protection at all.”
In response to Wallace, the researcher tweeted, “I did not hack your app, I read the available source code and I used your unauthenticated APIs… By threatening me, a security researcher, you are threatening the whole #infosec community. I’m a professional and I’m not hiding. I’m staying at your disposal if needed.”
Wallace added that the exposed information has now been locked down – and the app has temporarily disappeared from app stores as of the time of writing — so 63red Safe users ultimately have benefited from the researcher’s findings.
This isn’t Alderson’s first tango with the digital side of Conservative America. In October he published a vulnerability in the Donald Daters app. The app, a MAGA-themed dating experience, turned out to be leaking users’ names, photos, personal messages and users’ authentication tokens.
David Richardson, senior director of Enterprise Product Management at Lookout, noted that unfortunately, it’s all too common for app developers to overlook security considerations and best practices in favor of getting into the market quicker.
“The mobile app ecosystem is great for enabling any individual to build an app from anywhere — even their garage — but when these apps and the supporting back-end infrastructure are built without security in mind,” Richardson told Threatpost. “As a result, they risk leaking data through insecure coding practices, insufficient encryption and insufficient authentication.”