A Look at Politically Motivated Hacks Through the Lens of the Donald Daters App
Since this briefing deals with topics that have a high level of emotion and politics involved in them, we would like to make clear that Reflare does not take a political position on any current or past global event. This is on purpose. Our aim is to provide you with competent analysis of information security topics. Since these are often intertwined with political topics, we must stay ambivalent to politics in order to be able to provide you with high-quality, objective contents.
Earlier this week, an online dating called “Donald Daters” specifically targeting supporters of the current US President launched to significant media coverage. The app was founded by a former aide to US Senator Marco Rubio named Emily Moreno, who believes that the mainstream online dating offerings are too hostile towards Trump supporters.
Within hours of the app’s launch, French security researcher Elliot Alderson released tweets indicating that he had gained access to the app’s database including user’s names, email addresses and private messages. This information was quickly picked up by major news sources such as TechCrunch which forced the Donald Daters to temporarily shut down while they fixed the vulnerability.
The vulnerability in turn was a completely open and unsecured database server who’s domain name was hard coded and plainly visible in the application’s data.
This incident is a great example for politically motivated security incidents.
While some politically motivated attacks take the form of sabotage or large scale state action, the core of political motivation is much simpler. The very fact that support for President Trump is a contentious issue in current political discourse meant that a Trump dating app would have a bullseye on it as soon as it launched.
While other dating apps with similarly poor security would doubtlessly have eventually seen a breach, that breach would likely have been exploited commercially instead.
Hacktivism and the Law
This incident also allows us to analyze an interesting subset of politically motivated breaches; those that don’t break the law. Mr. Alderson chose to publicly disclose the vulnerability but did not make any of the datasets public. He also didn’t circumvent any security mechanisms to gain access to the data. The database server had no access restrictions and was accessible to anyone on the internet.
While various non-governmental standards urge security researchers to disclose vulnerability information to the affected party before making it public, there is currently no legal requirement to do so in most jurisdictions.
If anything, the operators of Donald Daters would face legal consequences in several regions such as the EU for the exceedingly lax protection of users’ private data.
While the incident was not illegal by our current understanding of Mr. Alderson’s actions and US and French law, it still had the same impact an illegal breach such as dumping the database or deleting data would have - i.e., causing large-scale media awareness and forcing the app to temporarily shut, which very likely ensures that the app will die due to a lack of users over the coming months.
Political motivation is one of the core motivations for cyber security attacks. Any organization dealing with a matter that can be seen in a political context should make sure that its codebase and policies are adequate to handle the higher-than-average risk.
Some cybersecurity incidents can have a significant impact on the target without breaking the law. From a moral standpoint, the question of how vulnerabilities should be reported and published has been a contentious issue in the cybersecurity community for the past two decades and will likely remain so for the foreseeable future.