The creator of a “safe space” app for Trump-loving conservatives flipped out after a cyber researcher pointed out some major security flaws.
The 63Red Safe app essentially lets Trump supporters know where they can wear “Make America Great Again” hats without shame, but researcher Elliot Alderson publicized some fundamental security flaws in the app’s architecture, reported Ars Technia.
Alderson discovered 63Red founder Scott Wallace had left his username, email, and a plaintext password in the code twice, and found other users could retrieve those details — and more — from each user account using a spoof.
The data did not include passwords, but Alderson said the entire user database could be retrieved by going through all the possible first letters or digits of an account ID.
This app uses a language called @reactnative. Get the original source of the app is super easy. Because he is nice, the developer of the hardcoded his credentials in the source code… twice… pic.twitter.com/DWwAvagSs5
— Elliot Alderson (@fs0c131y) March 12, 2019
Wallace, the app’s founder, did not take the revelations well, and claimed he’d reported Alderson’s efforts to the FBI.
“No lost passwords, no breach of database, no data changed, minor problem fixed,” Wallace tweeted. “We’re angry by the attempt, FBI notified.”
In a post on Medium, Wallace then accused Alderson of hacking his app, which has been compared to Yelp and the Jim Crow-era “Green Book,” but for President Donald Trump’s “MAGA” fans.
“We see this person’s illegal and failed attempts to access our database servers as a politically motivated attack, and will be reporting it to the FBI later today,” Wallace wrote. “We hope that, just as in the case of many other politically motivated Internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, failed or otherwise, to the utmost extent of the law. We log all activity against all our servers, and will present those logs as evidence of a crime.”
Alderson, for his part, insisted he’d never attempted to change any data and had simply tested the app’s security.
“I did not hack your app, I read the available source code, and I used your unauthenticated APIs,” Alderson said. “It’s equivalent to (using) your app. By threatening me, a security researcher, you are threatening the whole infosec community. I’m a professional and I’m not hiding. I’m staying at your disposal if needed. Btw, how did you fix the issue without updating your app?”