A security vulnerability in President Trump’s mobile campaign app exposed Twitter application keys and secrets, Google apps and maps keys and Branch.io keys in the Android APK file, researchers at Website Planet recently discovered.
A research team led by Noam Rotem and Ran Locar said the exposed keys and secrets provided access to the app’s Twitter API and other parts of the app. “While the exposed keys allowed access to many parts of the app, we concluded in our investigation that user accounts remained inaccessible through this vulnerability,” according to a Website Planet blog post. “We did not attempt to access any user accounts on the app, as we felt the initial vulnerability was sufficient to alert the Trump campaign.”
The researchers said an attacker would need two additional keys to access accounts of Trump or any other user. “However, a malicious hacker could still use the keys to impersonate the app, and much worse,” the researchers said. “For example, using the branch.io keys, hackers could potentially access app user and usage data.”
The team alerted the Trump campaign, which released a fix a few days later.