The donation website used by truck drivers in Ottawa currently protesting national vaccine mandates has fixed a security lapse that exposed donor passports and driver’s licenses.
Boston, Massachusetts-based donation service GiveSendGo became the premier donation service for the so-called “Freedom Convoy” last week after GoFundMe froze millions of dollars in donations, citing police reports of violence and violence. harassment in the city.
The protest, which began in January, had thousands of protesters and truckers descend on Canada’s capital to oppose mandatory vaccines against COVID-19, bringing the streets to a halt with noisy traffic. A fundraiser page on GoFundMe reached an estimated $7.9 million in donations before the crowdsourcing giant stepped in to block the campaign, prompting the fundraising effort to shift to GiveSendGo, which publicly declared its support for the protest. According to a press release, GiveSendGo said it processed more than $4.5 million in donations for Freedom Convoy protesters during the company’s first day hosting the campaign.
Ploonge was warned about the data lapse after a person working in the security space found an exposed Amazon-hosted S3 bucket containing over 50 gigabytes of files, including passports and driver’s licenses that were collected during the donation process.
The researcher said he found the web address for the exposed bucket by viewing the source code from the Freedom Convoy page on GiveSendGo.
S3 buckets are used to store files, documents, or even entire websites in the Amazon cloud, but they are set to private by default and require a multi-step process before the contents of a bucket can be made public to anyone. Access.
The exposed bucket had over 1,000 photos and scans of passports and driver’s licenses uploaded since February 4, when the Freedom Convoy page was first set up on GiveSendGo. The file names suggest that identity documents were uploaded during the payments process, which some financial institutions require before processing a person’s payment or donation.
Ploonge reached out to GiveSendGo co-founder Jacob Wells with details of the exposed bucket on Tuesday. The bucket was secured shortly thereafter, but Wells did not respond to our questions, including whether GiveSendGo planned to inform those whose information was exposed about the security lapse.
Exactly how long the bucket was left exposed is not known, but a text file left behind by an unnamed security researcher, dated September 2018, warned that the bucket was “not configured properly”, which may have “dangerous security implications”.
See More information: