The rollout of a Yelp-like phone app aimed at helping Donald Trump’s supporters find businesses friendly to MAGA-hat wearing chuds is going about as well as you’d imagine.
After security flaws in the app were made public Monday night, the developer behind “63red Safe” flipped his shit online and threatened to sic the FBI on the researcher who had outed its sloppy source code.
63red rolled out roughly a week ago, as the Daily Beast first reported, and is geared toward enabling users to rate restaurants, for example, based on whether they “serve persons of every political belief” and “allow legal concealed carry,” among other criteria unrelated to the quality of their food or cleanliness of their bathrooms.
A French researcher who goes by the Mr. Robot-themed handle Elliot Alderson tweeted that they’d reviewed the Android build of the app and discovered several urgent issues—the first being that the credentials of the app’s designer, Scott Wallace, appeared hard-coded into the application itself.
Alderson also found there was no authentication required to access 63red’s backend API, meaning essentially anyone could download the purportedly private information of its users, including their user IDs, email addresses, profile pictures, and more. More than 4,400 users had created a profile on the app so far, they said.
Alderson also noted that, given the unsecured API, it would likely be simple to download the entire user database en masse.
“Do not use this app, your personal security is at risk,” Alderson concluded. 63red was not pleased.
The company fired back on Tuesday with what begins as very Facebook-esque response, promising that it takes its security “very seriously,” that security is its “primary concern,” and that it would continue to improve its “systems in any way possible” to guarantee the safety of its users.
If only it had stopped there.
“As we have seen across the United States, conservatives particularly have come under attack for their political beliefs — verbally, physically, and electronically. This is unacceptable in a free society, and we will take every action to stop it, and assist our users in that as well,” the company said, adding: “We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attack, and will be reporting it to the FBI later today.” (emphasis ours)
It went on to say that the “perpetrator” should be “brought to justice” and that it planned to present its server logs to the authorities “as evidence of a crime.”
To be clear, no apparent crime has been committed here. Nothing was “hacked.” Based on Alderson’s description and 63red’s own statement, it appears the company simply failed to secure its users’ information and its admin left his own credentials visible to the public.
63red’s impulse to attack the researcher who exposed its privacy-threatening flaws is a master class in how quickly companies can embarrass themselves and further damage their own credibility in response to a security incident. A statement graciously thanking Alderson for pinpointing the now-fixed issues combined with a promise not to repeat the foul up going forward would have sufficed.
“I can understand 63red is angry but I’m here to help them, not the opposite,” Alderson told Gizmodo.
Of course, it’s also possible 63red knows its audience very well, and feeding users a line about this all being a “politically-motivated” conspiracy to discredit the app and its founder—carried out by the French, no less—will only encourage growth.
C’est la vie.