GiveSendGo, the donation service being used by the Canadian trucker protest known as the “Freedom Convoy,” is still leaking sensitive user data despite allegedly fixing the issue earlier this week.
Now, the journalistic collective DDoSecrets says it’s obtained files the site failed to secure, even after being alerted to the problem.
On Tuesday, TechCrunch reported that a security researcher had discovered an unsecured Amazon S3 bucket containing over 50 gigabytes of data. Files in the data cache included everything from scans of passports to drivers’ licenses.
The Freedom Convoy had recently begun using GiveSendGo after its GoFundMe account was shut down in response to allegations that members were engaging in violence and harassment on the streets of Canada.
The protest movement, which racked up $7.9 million in donations on GoFundMe, has already acquired $8.3 million since switching to GiveSendGo.
After being alerted to the security lapse by TechCrunch, GiveSendGo appeared to fix the issue. But the Daily Dot learned on Thursday that sensitive data is still accessible.
A source with access to the data explained to the Daily Dot that GiveSendGo appeared to only remove the ability to view an index of the storage bucket’s contents but did not disable direct access to the files themselves.
The Daily Dot was able to view multiple files including a scan of an individual’s Social Security card as well as multiple military identifications. The sensitive information that is accessible appears to be from users who set up campaigns and includes photos of credit cards, birth certificates, health insurance cards, voter IDs, permanent resident cards, and a police commissioner’s ID.
As noted by TechCrunch, a security researcher had previously left a note in the company’s S3 bucket back in late 2018 in an attempt to alert the company to its security woes.
In a separate note, the security researcher, who left behind links to his Twitter profile and LinkedIn page, warned GiveSendGo that its bucket had been poorly configured.
The Daily Dot reached out to GiveSendGo to inquire about the security issue and was told that previous reporting on the issue was “fake news.”
GiveSendGo co-founder Jacob Wells claimed that the company does not collect donor IDs.
“We have never and do not collect donors’ IDs,” Wells said. “We are looking at our legal recourse options for what looks to be an intentional hit job.”
When informed that photos of items such as Social Security ards were publicly accessible, Wells asserted that the exposure of such files would be the fault of the website’s users.
“There might be the potential that a campaign owner uploaded a ID to a public gallery for their campaign of their own volition and did not properly remove it, but that would be on the campaign owner who uploaded it,” Wells added.
The Daily Dot was able to confirm some of these IDs matched those who set up campaigns.
Wells did not reply to a follow-up email asking if he would work to properly secure the data.
The data was later provided to the journalism collective DDoSecrets on Thursday. Given the sensitivity of the data, DDoSecrets announced that it would only provide access to journalists and researchers. DDoS said they were provided with at least 1,000 images they deemed were of sensitive information.
GiveSendGo’s ongoing security problems come as American conservatives attempt to launch a Freedom Convoy of their own. An internal memo from the Department of Homeland Security warned this week that truckers could attempt to disrupt the Super Bowl in Los Angeles on Sunday as well as the upcoming State of the Union address in Washington, D.C.
Source: https://www.dailydot.com/debug/givesendgo-sensitive-data/