A recent research found gaping security holes in several SuperPAC public websites that may expose personal information of donors and other sensitive data. These vulnerabilities range from weak or nonsexist encryption and open ports to old and outdated server platforms. Security firm UpGuard assessed the security posture of top SuperPACs actives in the 2016 US election, and found that most of them could reach the average level of security. SuperPACs do not store payment information, but they keep donors’ personal information. Exposing donors’ identifies is a great issue because the purpose of these organizations is to hide who’s giving money. The main vulnerabilities are due to lack of encryption, no email authentication to avoid phishing scams, open SQL ports, and no DNSSEC adoption.
Mengqi, it looks like those SuperPAC public websites were wide open based on the vulnerability holes you highlighted above. I will not be surprised if Wiki Leaks already got his hands on those information. There is a saying that goes, “You can run, but you can’t hide” and this situations resembles a perfect example. Open SQL ports is a major vulnerability that can addressed with closing the port, checking the input length on the server, making sure that the programs handling user input do not run in the same process as the web server, and Java or C# are preferable because they automatically checks bounds of buffers.