Donation site for Ottawa Truckers’ ‘Freedom Convoy’ protest exposed donor data – TechCrunch
The donation site used by truckers in Ottawa currently protesting national vaccination mandates has patched a security breach that exposed donors’ passports and driver’s licenses.
Boston, Mass.-based donation service GiveSendGo became the main donation service for the so-called “Freedom Convoy” last week after GoFundMe froze millions of dollars in donations, citing police reports making state of violence and harassment in the city.
The protest, which began in January, saw thousands of protesters and truckers descend on Canada’s capital to oppose mandatory COVID-19 vaccinations, paralyzing the streets with rumbling traffic. A fundraising page on GoFundMe hit around $7.9 million in donations before the crowdsourcing giant stepped in to block the campaign, prompting the fundraising effort to switch to GiveSendGo, which publicly declared his support for the protest. According to a press release, GiveSendGo said it processed more than $4.5 million in donations for Freedom Convoy protesters during its first day as the company organizing the campaign.
TechCrunch was notified of the data expiration after someone working in the security space found an exposed Amazon-hosted S3 bucket containing more than 50 gigabytes of files, including passports and driver’s licenses that had were collected during the donation process.
The researcher said he found the exposed bucket’s web address by looking at the source code for Freedom Convoy’s webpage on GiveSendGo.
S3 buckets are used to store files, documents, or even entire websites in Amazon’s cloud, but are set to private by default and require a multi-step process before a bucket’s contents can be rendered public for anyone to access.
The bucket on display contained more than a thousand photos and scans of passports and driver’s licenses uploaded since February 4, when the Freedom Convoy’s page was first created on GiveSendGo. The filenames suggest that identity documents were uploaded during the payment process, which some financial institutions require before they can process someone’s payment or donation.
TechCrunch reached out to GiveSendGo co-founder Jacob Wells with details about the bucket on display on Tuesday. The bucket was secured soon after, but Wells did not answer our questions, including whether GiveSendGo planned to notify those whose information was exposed of the security breach.
It’s unclear exactly how long the bucket was left exposed, but a text file left behind by an anonymous security researcher, dated September 2018, warned that the bucket was “not properly configured”, which may have “dangerous security implications”.