A security researcher discovered that Vote Joe, Democratic presidential candidate Joe Biden’s official campaign application, has compromised the sensitive information of millions of voters, said Tech Crunch.
The campaign application allows Biden supporters to upload their contact lists to see whether or not their friends and family are registered, voters. The main goal of this app is to encourage contacts to participate in the election.
Once uploaded, the information will be compared with the TargetSmart database. TargetSmart is a political marketing firm that allegedly has access to data of over 191 million Americans.
Entries with matches will have their full name, birthday and age disclosed. Vote Joe also displays the most recent election the voter has participated in.
According to the App Analyst, the security researcher who found the bug, said in their blog that the contact data uploaded by users “enriches the database entry and is stored to help solicit their vote in the future.”
This means that the Biden campaign’s database keeps the synced contact data. Moreover, the app continues to “enrich the voter database entry” even when the phone contact does not match with a voter.
The researcher added, “By adding fake contacts to the device a user can sync these with real voters.” Tech Crunch explained that this bug allows users to “trick the app into pulling anyone’s information by creating a contact on his phone with the voter’s name.”
The App Analyst informed Tech Crunch that Vote Joe gathers more information than it shows users. More private and detailed info is acquired including home address, gender, political party affiliation, and ethnicity.
Biden’s camp was informed about the vulnerability on September 7, 2020. By September 11, 2020, the developers have fixed the bug as seen in the iOS version.
Regarding the issue, campaign spokesperson Matt Hill said, “We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed.”
Hill clarified that the campaign has collaborated with their vendor immediately to remove the information and to fix the bud. He also emphasized that the camp is dedicated to securing their supporters’, staff, and volunteers’ privacy.
Meanwhile, the vendor TargetSmart that the app only made publicly or commercially available data was made accessible to users.
Tech Users noted that while such information is available for the public to view, political organizations also use such data to “enrich their databases with additional data from other sources to help political campaigns identify and target key swing voters.”