Vulnerability Patched in Democratic Donor Database - Josh Lospinoso BSides NOVA 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)
Vulnerability Patched in Democratic Donor Database
Josh Lospinoso
@jalospinoso
BSidesNOVA 2018

A weak link-generation algorithm exposed Democratic Party donor information in the NGP VAN service to attack last month. The vulnerability would allow an attacker to unsubscribe large volumes of donors from Democratic candidates’ fundraising emails, conduct phishing campaigns, or resell the data. I disclosed the vulnerability to NGP VAN’s engineering team, which patched the vulnerability within a week. In this talk, I propose to discuss my discovery process, the tools I used to exploit the vulnerability, and advice for email subscription management services to avoid similar problems. See the optional document section for links to blog posts describing what I'll be talking about.

Josh Lospinoso

Josh Lospinoso works for US Army Cyber Command as a technical director, where he mentors other developers and writes infosec tools used in cyber operations around the globe. He holds a PhD from the University of Oxford and is a Rhodes Scholar.

Back to BSides NOVA 2018 video list



If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek