GiveSendGo Donation Drive 'Freedom Convoy' Still Leaks Sensitive User Data Despite Fixing the Issue

Despite fixing the issue about the user data leak, GiveSendGo's "Freedom Convoy" donation site remains accessible to the public.

The authorities were alerted earlier about this news since confidential information such as passports and drivers' licenses might have been splattered as a result.

DDoSecrets Talks About Unsecured Files on the Donation Site

GiveSendGo Donation Drive 'Freedom Convoy' Still Leaks Sensitive User Data Despite Fixing the Issue
GiveSendGo has not yet fixed the issue regarding user data accessibility, according to the latest report. Spencer Platt/Getty Images

Popular whistleblower site for leaks, DDoSecrets, which was also known for being a WikiLeaks successor, uncovered a lot of sensitive data which accounts to more than 50 GB.

The researcher spotted this anomaly in an unsafe Amazon S3 bucket which contains confidential files. Some information inside this cache includes copies of passports and the drivers' licenses of the users.

As issues about violence circled the "Freedom Convoy" protest in Canada, it previously used a GoFundMe account but was later taken down because of the alleged harassment involving the members.

With that, the convoy decided to start using GiveSendGo as another donative site for its protest movement.

As of press time, the group already collected $8.3 million when it switched to GiveSendGo. GoFundMe donations reached $7.9 million for the time being.

Related Article: GiveSendGo Exposed User Data: Site for 'Freedom Convoy' Donations Secured Platform after GoFundMe Transfers

GiveSendGo Has Not Yet 'Fully Fixed' the Issue

Earlier this week, TechCrunch wrote in its article that GiveSendGo already issued a fix to the problem. However, Daily Dot found out that the confidential information on the site can still be accessed.

According to the source who has access to the data, GiveSendGo did not prevent direct access to the user data. However, what it did instead was to only bar the user from viewing the content in the storage bucket, which is considered not a fix at all.

Daily Dot confirmed that besides passport and licenses, the files also include military IDs, and Social Security cards.

Moreover, those who created the website still have access to information such as voter IDs' birth certificates, insurance cards, and other personal and sensitive information.

In connection to this cybersecurity lapse, a security expert alerted the fundraising platform about its security concerns in 2018 by leaving a note in the S3 bucket.

In addition, this person also left traces of warning on his Twitter and LinkedIn sites. He said that the company has a poor configuration for its bucket.

GiveSendGo Co-Founder Refuted the Allegations

Jacob Wells, the co-founder of GiveSendGo said that the company does not store the sensitive information of users such as donor identification cards.

"We have never and do not collect donors' IDs. We are looking at our legal recourse options for what looks to be an intentional hit job," he said per Daily Dot's story.

Later it was confirmed by the news source that some of the retrieved IDS matched the identity of the persons behind the said campaigns.

In another report by Tech Times, stealing of personal data also persisted in the recent Frontier software ransomware attack that took place in December 2021.

Even the tech giant Microsoft experienced cloud-based problems related to sensitive data. The company said that cloud-based misconfigurations are becoming rampant among enterprises.

Read Also: Microsoft Warns of Malware Designed as Ransomware that Deletes User Files

This article is owned by Tech Times

Written by Joseph Henry

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics