Trump Legal Campaign to Invalidate Election Leaked Voter Data

• One of the websites set by Trump’s lawyers to collect evidence of election fraud has leaked voter data.
• The people who registered on the site were exposed by SQL injection flaws that made scraping possible.
• The information that has been accessed includes full names, email addresses, home addresses, and phone numbers.

With Joe Biden eventually winning the presidency in the United States, Donald Trump and the Republican lawyers supporting his platform have impetuously and pretty hastily set up a system of legal action against the results. What Trump believes, or at least maintains, is that the recent U.S. elections were fraudulent and that many of the ballots that arrived via post mail did not correspond to real people.

To support their case on the U.S. Supreme Court as well as on regional courts, Trump’s legal team has set up websites to collect evidence of the alleged fraud, essentially helping them prove their arguments.

One of these websites is “donttouchthegreenbutton.com,” set up only a few days ago, inviting voters to report illicit events they witnessed at the polling stations of Maricopa County. Trump’s side claims that many had trouble casting their in-person votes there and has already filed a relevant lawsuit.

To report an incident, one has to declare their personal information to add legitimacy to their filings. According to the latest reports, though, this information has been leaked because of SQL injection flaws and a catastrophic API key exposure (now removed) on the website that would enable anyone to scrape the voter data in bulk. 

Related: Donald Trump Campaign Site Attacked by Hackers and Defaced

The information that has been exposed now includes the following things:

• Full names
• Addresses
• Phone numbers
• Email addresses
• Dates of birth
• The last four digits of the SSN (social security number)
• Answers to multi-choice questions

While voter data is already public information, threat actors holding that particular set in the specific context could engage in highly-successful phishing and scamming operations against the people who decided to stand behind Trump’s claims in Maricopa.

Also, the event is a good reminder of why you shouldn’t trust websites that have been set up in an obvious hurry. The “donttouchthegreenbutton.com” was beyond doubt a perfunctorily-made site appearing out of nowhere and asking people to enter their personal details.

As for whether the data has been scraped or not, the first reports of the website’s lack of security appeared on Reddit, together with screenshots that proved the claims. This leaves little doubt about the actual accessing of the data, but it doesn’t mean that it was the act of hackers. On the contrary, the people who discovered this only intended to troll Trump’s legal team and figured out the security hole in the process.