While someone could get some of that same information through other means, the Vote Joe app trivialized obtaining it (among other issues, the software also doesn’t require users to verify their email). Moreover, the App Analyst found Vote Joe pulls in more data than it displays through its user interface, including what seems like a guess on TargetSmart’s part whether a person voted for the Democratic or Republican presidential candidate in a particular election.
The Biden campaign says it fixed the bug on Friday when it rolled out an update for the app. “We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed,” a spokesperson for the campaign told TechCrunch. “We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers and supporters and will always work with our vendors to do so.” Notably, the campaign’s website reveals it’s hiring a cybersecurity analyst, in addition to a cybersecurity manager.
As TechCrunch notes, this isn’t the first time data from TargetSmart may have leaked online. In 2017, a cache of nearly every registered voter in Alaska, totaling approximately 600,000 individuals, was exposed through a server misconfiguration by a third-party firm that had access to the data. That information is something that state-sponsored hackers could use to sway an election. It’s also not a hypothetical threat either. Microsoft recently warned that Russia, China and Iran are actively trying to interfere in the 2020 elections. The company said the “majority” of attacks on both the Joe Biden and Donald Trump campaigns had failed, but that hasn’t stopped those groups from continuing their efforts.