Like tens of millions of other websites, the campaign donation website for US presidential candidate Donald Trump relies on open-source software called jQuery. But it seems that the software is being used in a sloppy way, which could put Trump supporters at risk of identity theft or worse.
Trump’s website uses a jQuery plug-in, or a bit of ready-made code, called jQuery Mask Plug-in to handle how donors fill in their name, address, and other information. The mask plug-in restricts the types of information users can enter in forms. This is useful because it increases the chances of accurate data being submitted for payment processing, and for the campaign’s records. It’s also free and available for download from GitHub, the popular platform for open-source software.
A programmer named Shu Uesugi, an engineer at a California company called EdSurge, discovered a major flaw with the way Trump’s website was using jQuery. Instead of downloading the open-source code from GitHub and running it off a server they controlled, the developers who built Trump’s website simply ran the code off GitHub directly, Uesugi found.
While the code’s location might seem like a minor detail, running it off GitHub meant that the person who controlled the code on GitHub could change the code at his whim, and those changes would take hold on Trump’s website. Since GitHub is for open-source projects, it also meant that any user could submit a request to modify the code and impact Trump’s website, if the change was approved by the plug-in’s author, a developer in Lisbon named Igor Escobar.
“It’s all up to the will of one developer in Portugal,” Uesugi wrote. A malicious hacker could have used the plug-in’s sloppy implementation to tweak the code and create a range of humiliating scenarios for the Trump campaign, including capturing donors’ names, addresses, and other details. Luckily Escobar, for his part, doesn’t appear inclined to sabotage the Trump website.
Trump’s website was apparently fixed within hours of Uesugi’s blog post being published, and the offending line of code deleted. Brad Parscale, the Trump campaign’s digital director, tweeted that the website was based on a “third-party solution” and that the vendor had fixed the problem.