An application created by the right-leaning nonprofit True the Vote, aimed at crowdsourcing allegations of voter fraud, recently exposed a significant security vulnerability that compromised the email addresses and additional information of users who engaged with the platform. This flaw, which has now been rectified, brought to light the identity of a California election official who had misused the app to publicly discuss an illegal and discriminatory plan that involved requesting identification from voters based on their perceived citizenship status. Notably, California law does not mandate voter ID in most situations, and election officials are currently investigating this breach.
VoteAlert, the app in question, represents the latest undertaking by True the Vote, an organization headquartered in Texas and led by Catherine Engelbrecht. Engelbrecht has been instrumental in bringing attention to election denialism, promoting unsubstantiated theories about voter fraud. True the Vote has often relied on technology as a means to validate its claims, despite a consistent lack of evidence provided when challenged.
Investigations by WIRED uncovered the extent of the data exposure while examining the app’s codebase. The flaw occurred when the platform returned email addresses of users submitting reports and comments during the process of loading new posts, which could be accessed by anyone reviewing the site’s source code. True the Vote’s response to inquiries regarding the specifics of the data exposure was vague; a spokesperson indicated that the issue stemmed from an infinite scroll feature introduced over the weekend, impacting the app’s configuration temporarily. However, follow-up questions pointed to a multi-week duration of the exposure, to which True the Vote did not provide further comments. The security issue has now been addressed, with user emails no longer accessible.
Before the vulnerability was fixed, over 146 email addresses belonging to users who reported or commented on alleged voter fraud were affected. An analysis revealed a total of 186 user submissions alleging fraud, along with more than 200 additional comments, suggesting that VoteAlert has a limited user base. Despite its niche appeal, the platform has become a venue for the dissemination of unverifiable claims regarding election misconduct.
One notable claim that was subsequently debunked involved a user asserting that a Dominion voting machine exhibited discrepancies between “public” and “private” vote counters, a feature that Dominion states does not exist. Another post, later removed, alleged that a bake sale at a polling station in Delaware was an attempt to influence voting, potentially breaching election laws. Additional reporting indicated that the accompanying photograph in this post was at least seven years old.
In a concerning instance shared on VoteAlert, a user, identifying herself as an Election Officer in Riverside County, openly discussed her intentions to request citizenship documentation from voters whom she deemed questionable. The post suggests a lack of accountability from local law enforcement, as it mentioned that the Riverside County Sheriff’s Office would overlook her actions. The user expressed her determination to contribute to what she perceived as combating election fraud, remarking on her motivations in a somewhat casual tone.
This incident raises significant cybersecurity concerns, particularly regarding the handling of user data in politically sensitive applications. The vulnerabilities exhibited by VoteAlert underscore the critical need for robust security measures to protect personal information within platforms designed to interact with the public. The tactics potentially applicable to this incident, based on the MITRE ATT&CK framework, include initial access through programmatic vulnerabilities, as well as a failure in data protection standards that could fall under privilege escalation categories. The situation serves as a reminder for organizations to prioritize cybersecurity hygiene, particularly when involving sensitive civic processes.
