If you’re a hopeless romantic (and who isn’t), then you can probably appreciate the irony of the “No. 1 Place for Patriotic Singles” having some of the weakest security on the internet.
First Published 19th October 2018 | Latest Refresh 5th April 2022
Witness the fitness.
4 min read | Reflare Research Team
Since this briefing deals with topics that have a high level of emotion and politics involved in them, we would like to make clear that Reflare does not take a political position on any current or past global events. This is on purpose. Our aim is to provide you with a competent analysis of information security topics. Since these are often intertwined with political topics, we must stay ambivalent about politics in order to be able to provide you with high-quality, objective content.
What Happened?
An online dating app called “Donald Daters” specifically targeting supporters of the 45th US President was launched with significant media coverage. The app was founded by a former aide to US Senator Marco Rubio named Emily Moreno, who believes that the mainstream online dating offerings were too hostile toward Trump supporters.
Within hours of the app’s launch, French security researcher Elliot Alderson released tweets indicating that he had gained access to the app’s database including user’s names, email addresses and private messages. This information was quickly picked up by major news sources such as TechCrunch which forced the Donald Daters to temporarily shut down while they fixed the vulnerability.
The vulnerability in turn was a completely open and unsecured database server whose domain name was hardcoded and plainly visible in the application’s data.
Political Motivation
This incident is a great example of politically motivated security incidents.
While some politically motivated attacks take the form of sabotage or large-scale state action, the core of political motivation is much simpler. The very fact that support for President Trump is a contentious issue in current political discourse meant that a Trump dating app would have a bullseye on it as soon as it launched.
While other dating apps with similarly poor security would doubtlessly have eventually seen a breach, that breach would likely have been exploited commercially instead.
Hacktivism and the Law
This incident also allows us to analyze an interesting subset of politically motivated breaches; those that don’t break the law. Mr. Alderson chose to publicly disclose the vulnerability but did not make any of the datasets public. He also didn’t circumvent any security mechanisms to gain access to the data. The database server had no access restrictions and was accessible to anyone on the internet.
While various non-governmental standards urge security researchers to disclose vulnerability information to the affected party before making it public, there is currently no legal requirement to do so in most jurisdictions.
If anything, the operators of Donald Daters would face legal consequences in several regions such as the EU for the exceedingly lax protection of users’ private data.
While the incident was not illegal by our current understanding of Mr. Alderson’s actions and US and French law, it still had the same impact an illegal breach such as dumping the database or deleting data would have - i.e., causing large-scale media awareness and forcing the app to then temporarily, and later on permanently, shut down due to a lack of users.
Truth Social
All platforms that purposefully segment their user base face similar problems. When something becomes political, it limits the pool of people willing to work on it. Even if people align with an ideology, highly skilled workers are often uneasy about doing so publicly. The current zeitgeist may change, and having worked on a project with visible ties to prominent political figures may lead to plenty of people getting cancelled.
Three years after Donald Daters, Donald Trump's Twitter alternative "Truth Social" is seeing a similar mix of problems. The app appears to suffer from system architecture issues like the inability to scale rapidly or flow over to cloud servers as well as a lack of availability outside of the iOS ecosystem. This - ironically - reintroduces the core-platform-dependency Mr. Trump sought to solve with his own social network.
Summary
Political motivation is one of the core motivations for cyber security attacks, yet it definitely doesn't help when your technologies are problematic from the get-go. Any organization dealing with a matter that can be seen in a political context should make sure that its codebase and policies are adequate to handle the higher-than-average risk.
Some cybersecurity incidents can have a significant impact on the target without breaking the law. From a moral standpoint, the question of how vulnerabilities should be reported and published has been a contentious issue in the cybersecurity community for the past two decades and will likely remain so for the foreseeable future.
Explore some related cybersecurity reports below, and consider subscribing to our Research Newsletter and stay up-to-date with the latest in unfortunate technological mishaps.