Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

• Full Name, suffix, prefix
• Phone numbers (cell and landlines)
• Address with house, street, city, state, zip, precinct
• Political affiliation provided by state, or inferred based on voting trends/history
• Age and birth year
• Gender
• Jurisdiction breakdown based on district, zip code, precinct, county, state
• Demographics based on ethnicity, language, education

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – RoboCent , Amazon AWS)

[adrotate banner=”5″]

[adrotate banner=”13″]