UpGuard can now disclose that a code repository including exposed access credentials for Campaign Sidekick, a current voter contact, survey, and canvassing app used by Republican campaigns, has been secured. The code repository was within a “.git” directory which was configured for public access and hosted on Campaign Sidekick’s primary website. The directory contained source code and associated credentials for Campaign Sidekick, including the full history of changes to the code since it was first uploaded to this directory in November of 2016. Additionally, the data exposed in this project included credentials for accessing the CPanel (website administration software) and Secure File Transfer Protocol servers of another US elections-related company, Voter Gravity. The scripts detail how information was collated from sources (including Facebook) and included identifying details of software developers working on the project who were located within, and residents of, India.
Git is a version control system for software development that maintains a record of every change submitted to the code base. Each change is a "commit" and git preserves all of them in the “commit history,” making the state of a software project at any point in time auditable. Git also provides the ability for developers to update the version of the code stored on their computer by "pulling" from the central code repository so that developers don't make conflicting changes, and any faulty code can be identified and reverted. These capabilities ensure that all collaborating developers are working from the same code and are making changes that don't conflict with or duplicate each other. The same operations that make git useful for software development, however, also make it possible for code to be exposed when self-hosted git folders are misconfigured. When a .git directory is configured for public accessibility, as was the case for files hosted on campaignsidekick.vote, anyone in the world can view all code and its history.
Screenshot of the publicly available .git directory showing code hosted on Campaign Sidekick's site and the most recent date that each file or directory was changed.
On February 12, 2020, an UpGuard Cyber Risk Analyst found that the .git directory on app.campaignsidekick.vote was available to the public internet. After downloading the files and determining that they were of some level of sensitivity, the analyst notified Campaign Sidekick. UpGuard and Campaign Sidekick spoke on the phone multiple times between February 12 and February 15 primarily due to Campaign Sidekick requesting information regarding the relatively small amount of voter Personally Identifiable Information (PII) which was directly present within the publicly exposed repository itself. On February 15, 2020 the Campaign Sidekick helpdesk ticket tied to our notification was closed with the message, “You can close. Breach closed.”
According to their website, Campaign Sidekick (originally known as Surge Data Technologies) was conceived during the 2002 election cycle to facilitate large scale canvassing without the friction created by resources printed on paper. Since then, the digitization of campaigning has exploded; Obama's 2008 victory has been attributed in part to data analytics, and Republicans have responded by developing their own Data Trust (which UpGuard has previously reported on– both the contents of the database and the software for populating and deploying it).
For the past two decades, the national Democratic and Republican parties have been in a digital arms race to capture, unify, analyze, and act on data about American voters. Some of that data can be assembled from the existing data broker market, where companies collect data about individuals and sell it without the individuals' involvement. The other half of the data used by political parties comes from telephone surveys, online polling, and on the ground campaign activities: talking to people and recording responses. These personal interactions distinguish political campaigns from other advertising campaigns, and create the need for software like Campaign Sidekick. As Campaign Sidekick founder Drew Ryun explains in one of their videos, "For our purposes, as one of the RNC's vendors, [one of our goals is to] have this flow back into the RNC's data hub that you can then search for and pull back in future years."
Example of the profile for an individual voter that Campaign Sidekick users would see for canvassing and other campaign activities.
While digitizing that bi-directional flow of data allows for more data capture, it also creates cyber risk. Every app that such data passes through– and there are many apps, for both parties, like the portfolio backed by Democratic group Higher Ground Labs– has the risks associated with any information technology. That risk may surface as operational failure, like in the case of the "Shadow" app used and then abandoned in the Iowa Democratic primary, or the loss of confidentiality, as in the case of Campaign Sidekick.
The Campaign Sidekick repository contained many credentials which could have been abused to compromise the confidentiality, integrity, and availability of data provided to and from their service.
- Cpanel login for votergravity.com/cpanel. Cpanel is a content management system used for administering websites. This document indicated that the username and password pair here "will also work for secure ftp," providing access to a file storage server. This password began with the number "2020," suggesting it may have been updated as recently as this year.
- A configuration file included the app id and secret key for a Facebook app, which another file identified by URL as facebook.com/campaignsidekick
- An API key and password for a Chargify account.
- Less critical credentials included the project ID and key for Airbrake and Recaptcha. While these two items would not provide immediate access to voter data, they provide further tools for social engineering and indicate the breadth of credentials exposed in this collection. (applications/social/config/airbrake.php) (applications/social/config/config.php)
- A password for a hosted database tied to "In Field Strategies," another political consultancy.
- A password for a database hosted on an internal network.
- An email account password for firstname.lastname@example.org
UpGuard never attempts to use credentials discovered in public datasets, so the full extent of access a malicious actor could have gained by leveraging these exposed authentication credentials is unknown.
As a git project, metadata included in the exposed repository reveals the story of who, when, and where were involved in this project's development. Because each commit comes from a specific person, the developers and their employer are identifiable, showing this project was worked on by individuals at an Indian development contractor. The use of IP addresses and phone numbers located in India add additional corroboration.
Image showing some of the git metadata including code branches and time since most recent commit.
A Campaign Sidekick staff member also confirmed to UpGuard’s Director of Risk Research, during one of the phone conversations, that a team of software developers in India had been engaged at some point by Campaign Sidekick, without getting into details of the arrangement.
Other artifacts from the development environment trace the relationships between multiple organizations involved in the data set. One artifact of the project’s development are the many references to Surge Data and surgedatatech.com– the name of Campaign Sidekick before rebranding. Other parts of the code show a close relationship with Voter Gravity, like the aforementioned password to access Voter Gravity's admin panel and the usage of many classes from the “Social Gravity” package that lists votergravity.com as the link to its author. To pick one specific example, a file called “campaign_in _progress_Jan30_2018.php” contains many references to Voter Gravity and identifies its domain at votergravity.com. That file also references Political Gravity and its site, politicalgravity.com, which now redirects to votercontact.org.
The CEOs of Campaign Sidekick and Voter Gravity are brothers, and their father is Jim Ryun, another GOP operative, which may help in explaining why there would be such close contact between these companies, and how they fit within the ecosystem of GOP campaign apps. The intermingling of code and sharing of data between these parties, and others like Freedomworks and the RNC (both of which are also referenced within the files), underscores how risk in any campaign app is contagious to others, and creates systemic risk for the campaign industry.
Part of a file for reconciling data from RNC and Facebook sources.
Finally, significant amounts of code are dedicated to gathering and interacting with data from Facebook. After a user has authenticated with Facebook, the app could use the “friends.get” method to search a list of their friends and retrieve information about them to compare with data in voter databases. Due to the leakage of user data through third party app developers, Facebook removed access to this API for all developers in 2015. After that, however, Facebook continued to provide access to friends' data to a smaller group of "integration partners" until at least July of 2018, when they reported those data sharing agreements to Congress. References in the Campaign Sidekick collection to FQL– the Facebook Query Language– also place portions of the code prior to Facebook’s efforts to limit third party developers’ access to the friends graph.
The operation that the Campaign Sidekick code could perform on Facebook– using an authenticated user’s session to search for their friends– was common at that time and supported by the base Facebook class written and distributed by Facebook. Campaign Sidekick then cross-referenced the names of those individuals with the ones in their voter database to discover the real identities of those Facebook accounts and vice versa. As UpGuard has previously reported, that data could then be used for additional targeting of those individuals on Facebook, and elsewhere, with tailored messages.
While Facebook has since banned many capabilities which made it easy for app developers to harvest their users’ friends data en masse, its capabilities as an entry point from the real world of political campaigning into the digital world of targeted advertisement made it uniquely useful for apps like this one and the GOP’s overall data strategy. In a video uploaded six months ago, the CEO of Campaign Sidekick can be seen wearing a Facebook shirt.
Data exposures like this one are not a function of party affiliation or political beliefs– UpGuard has also reported exposures related to the Hillary Clinton's Senate campaign and the Russian Federation. Data exposures are an inherent risk of digital technologies that are managed by imperfect human operators. As political campaigning has become increasingly digitized, so has the risk increased for the exposure of data processed by the growing campaign industry.
Read more on Techcrunch.
Download the executive summary
We'll email you a summary PDF containing three takeaways from this breach.