During the past holiday weekend, I came into the possession of some very interesting-looking computer screen captures. They were taken at ActBlue, the Democratic online fundraising tool and website that for 2008 has matured into a legitimate vendor for two mainstream presidential campaigns.
And the pictures? The screen caps depict a major lapse in network security — one exposing certain member and donor information. In layman’s terms, they left the back door open all weekend. Earlier this afternoon I communicated with ActBlue executive director Ben Rahn, verifying the incident and gathering more information. Here is what went down, based on my limited reporting:
On Friday afternoon, a software developer’s error inadvertantly changed the network security settings, granting administrative-level access to occasional users (i.e., not every account). For example, if you are a normal user and you log in at normal times, this is what the top right-hand corner of the page will look like:
But if you are an administrator — or a normal user this weekend — the top right-hand corner of your page would have looked like:
Anyone who knew enough to be dangerous could get in and change settings or make the site do unpleasant things. But perhaps more worrisome, anyone could now access the Treasury database and start downloading sensitive donor information, in the form of CSV files, showing who had given to whom and how much.
I have a few of these screen shots, just enough to give an idea of what’s there without actually compromising ActBlue further. So, to start, if you click on that Admin link, you would find yourself at the Admin page:
From there it’s one more click to the Treasury Dashboard showing the actual bank accounts (account numbers blurred, incomplete though they are) ActBlue uses to manage the funds it receives:
And the candidates? Both John Edwards and Bill Richardson use ActBlue to collect their online donations. So here’s the Richardson page:
Note the “CSV data” in the furthest-right column. Aside from a prankster turning the site’s color scheme red, that’s where the real trouble lies.
There are a few reasons why this breach is not what it could have been. For one, as Rahn emphasized to me, “To be clear, credit card data is never available from the web site, and thus was never at risk of compromise.” Additionally, CSV (that’s comma-separated values) files can be a bit of a pain, especially if you don’t really know what you’re doing. And of course there is one thing that may have occurred to you already: All of this information will eventually be released to the FEC.
That said, there’s no telling what a rival campaign or unaffiliated opportunist savvy enough to collect and and synthesize this data could do. In the fundraising business, gathering data is difficult. Names, addresses and e-mails would be worth a lot of money to other candidates, political associations or other interested parties. Those names could be cross-referenced against existing lists of donors, and e-mail addresses of known political donors would be a hot property (even if “hot”). Any Senate data would be a huge bonus, because Senate candidates aren’t required to file electronic records with the FEC (and nobody wants to search thousands of PDFs).
So you never know. Maybe it’s something. Maybe it’s nothing. As Rahn told me today:
As it happens, we identified and resolved the problem Sunday morning; it was caused by a developer’s error on Friday afternoon. Your source’s findings essentially describe the “worst case scenario” [that could be caused by this error] … After resolving the prolem we combed through the logs of reports accessed during the window, and the most likely case is that reports were only accessed by those who should have seen them and perhaps a few curious users (such as your source) who might have explored a link they hadn’t seen before and done nothing with the data. However, there is no way for us to completely rule out the contrary cases.
And he assures me that they are “taking steps to ensure that this does not recur,” as one might imagine.
We’ve come a long way since Sandra Bullock pressed Esc and wound up getting chased around “The Net” by a clichéd British villain, and by now most of us are comfortable buying things and donating money online — despite the risks. Security errors are a fact of life. They will be a fact of political life, too.
I think you are absolutely correct. Security issues will be a fact of life forever. But actually, this probem just creates an opportunity for people to be creative and develop new ways to eliminate the threat. I don’t have the slightest idea as to where to begin. or actually continue since the process began a long time ago. But, thankfully many others would.
Andrew Pass
http://www.pass-ed.com/Living-Textbook.html
Most campaigns salt their lists (i.e. put bogus records into their database) so they can a) tell when mail is received after it drops and b) tell if someone has stolen their data. If you start getting mail addressed to a fictitious name that only appears in your database, you can tell your data has been compromised.
The real danger inherent in the ActBlue data being stolen is the fact that it’s direct from the source, so there would be no way to know if someone had pilfered your donor data.
The real danger inherent in the ActBlue data being stolen is the fact that it’s direct from the source, so there would be no way to know if someone had pilfered your donor data.
The article doesn’t say anywhere that any data was stolen, only that it in this case it was viewed and screenshots were taken- just to clarify.
Sure there is. This guy either doesn’t understand the technical side of things or is BSing. You can examine the web server logs and see every individual request made, allowing you to trace back and see exactly what every client requested. According to Netcraft, ActBlue uses lighttpd, which of course has access logging capabilities. If the administrative features only appeared for logged in users then they could easily see exactly which users saw what data.
Whatever the case, they must have some awful developers if something like this happened. Either the user authentication/privilege system was disabled or a number of users were erroneously marked as administrators. Either way it’s a pretty big screw-up.
And I don’t see why CSV files would be difficult to handle. If you know how to view an Excel file then you know how to view a .csv.
I don’t understand. What do you have to do to “steal” data other than viewing it?
I don’t understand. What do you have to do to “steal” data other than viewing it?
Disable its DRM and share it on limewire?
I’ve mostly heard of the FEC doing that to catch campaigns using public records, but not to many campaigns. Unless it’s a really big campaign that is very cognizant of the value of their data, you don’t usually see that. Even with mail delivery, cutting edge campaigns are able to to track indvidual deliveries (down to the DDU at least), so that’s not even necessary anymore.
Thank goodness Sandy Berger was out of town.