US POLITICS

Canadian Hackers Target Trump.com With Message To Jon Stewart

Software on Trump.com may have contained security flaws flagged in 2009

US POLITICS
(Photos: Getty, Dreamstime, Photo Illustration: Robert A. Di Ieso/Vocativ)
Aug 03, 2015 at 1:48 PM ET

Donald Trump’s attorney Michael Cohen has dismissed a hacking attack on Trump’s corporate website, saying: “[Hackers] hacked into the Pentagon, for God’s sake.”

Hackers from the group Telecomix Canada targeted Trump.com on Monday, posting a long farewell letter to “Daily Show” host Jon Stewart, a frequent critic of Trump and his presidential run. Rather than defacing the Trump.com front page, the polite Canadian hackers posted a simple html page in which they thanked the outgoing TV host for “many happy years of quality journalism”. Stewart steps down as host this week.

At least some parts of Trump.com appear to employ an old and outdated content management system that is accessible to the public and that may still contain security vulnerabilities noted as early as 2009.

Cohen told Vocativ that he had not been aware of the attack. Presented with a link to the defaced page, Cohen was dismissive of its significance, and somewhat surprised that hackers had managed to breach the Trump.com defenses. “That’s really weird… You know, [hackers] hacked into the Pentagon, for God’s sake. It’s unbelievable… I’m going to have to reach out to our IT guy and figure out how they got through.”

At the time of publication, Trump.com had taken down the hacked document, but the public-facing editing tool remained accessible.

Internet security expert Jim Walker said he believed hackers exploited “an obvious oversight on the part of the web designer who designed the website.” Walker, who’s known as the Hack Repair Guy, added: “They forgot to remove the Cute Editor demo, allowing editing of the page on the Trump.com server.”

A person speaking on behalf of Telecomix Canada through Twitter told Vocativ by direct message that the group had not abused the content management system, and claimed “We entered the page via another channel.”

“The hole is actually more broad, but we took pains not to reveal that to avoid more destructive injections,” the person said.

They insisted the attack was “not meant as a malicious hack—it was/is what it appears to be—simply a thank you to Mr Stewart for his long body of work.”

At least two vulnerabilities inside the ‘Cute Editor’ content management system used on parts of Trump.com have previously been identified. One such vulnerability, according to a post on CERT.org, is that: “A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.” An older vulnerability was posted on Exploit Database in 2009.