You Could’ve Submitted a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. Here’s How.

MAJOR UPDATE: I published this article on Aug 18, 2016 10:15am PDT, but at 12:45pm PDT I confirmed that the Trump campaign had applied a fix to its site and removed the vulnerable line of code, so what I wrote earlier is no longer relevant. But you can still read my original post below, as I think it’s a good security lesson for all of us developers. I have also captured a screenshot of the original source code on Google’s cache here (from Aug 14), if anyone’s interested.

UPDATE TWO: Several popular news sites have covered this blog post in ways that are easier to understand for non-coders:


Original Article (This will no longer work, but I bet you’ll still enjoy reading it, especially if you’re technical):

You Can Submit a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. Here’s How.

Today (Aug 18, 2016 5am PDT) I was looking at Donald Trump’s campaign donation website, available at https://secure.donaldjtrump.com/donate-homepage.

Trump’s campaign donation site.

Naturally as a software engineer, I decided to examine its source code. Then I found this line:

It’s loading a JS file from GitHub pages. Full source code screenshot can be found here.

The page is loading a JavaScript file directly from a page hosted on GitHub pages, (hence the github.io domain) and GitHub pages serves files directly from the corresponding GitHub repository’s gh-pages branch. If the file on GitHub gets modified somehow, the changes will be reflected on Trump’s site, usually in under 30 seconds.

In this case, the repository is jQuery-Mask-Plugin, a piece of code that enhances the user experience of submitting a form. And this is the JavaScript code that’s being served on Trump’s site: https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js

https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js

Because this is a public GitHub repository, anyone can (technically) submit a pull request on this JavaScript file to the author Igor Escobar, a full stack developer based in Portugal. If he accepts your pull request, then your JavaScript code, whatever it contains, will get injected to Trump’s campaign donation website immediately.

Potential Attack Idea

For instance, you might be able to inject the following JavaScript code:

if (location.host === 'secure.donaldjtrump.com') {
location = 'http://hillaryclinton.com/'
}

If that code gets injected, every person who visits Donald Trump’s campaign donation page will now get redirected to Clinton’s website. The above code won’t affect other users of jQuery-Mask-Plugin, because of the if (location.host ===…) check which ensures that the redirect code only runs on Trump’s site.

The following GIF demonstrates an injection of the above JavaScript code by simulating the same effect using Chrome Devtools. You can see that you’ll get redirected to Clinton’s site immediately when the code is executed.

Injecting JS code to redirect Trump supporters to Clinton’s site.

To submit a pull request to the JS code loaded on Trump’s site, you can go to this page: https://github.com/igorescobar/jQuery-Mask-Plugin/edit/gh-pages/js/jquery.mask.min.js and add the code as shown on this GIF:

Submitting a pull request to a JS file

If the author accepts this pull request (which requires just a click on a button), then within 30 seconds, the code will go live on Trump’s site. Every person trying to donate to Trump will now get redirected to Hillary’s site. Trump’s digital marketing team will need to MAKE THEIR SITE WORK AGAIN. It’s all up to the will of one developer in Portugal.

Disclaimer: I didn’t actually submit the above pull request —I never clicked the “Propose file change” button.

More Attack Ideas

You can do more fun things by injecting custom JS code. For instance, this code:

if (location.host === ‘secure.donaldjtrump.com’) {
document
.querySelector(‘.donation-container’)
.style[‘background-image’] = ‘url(“https://cloud.githubusercontent.com/assets/992008/17785065/192ea49c-6534-11e6-9ab1-d3ac6b4894cb.jpg")'
}

Will change the page background like this:

Image taken from here: http://www.eater.com/2016/5/13/11673108/trump-putin-kiss-street-art

License

Just FYI, jQuery-Mask-Plugin is published under The MIT License, which states:

The software is provided “as is”, without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.

Side Note: Who’s Behind Trump’s Site

According to San Antonio Express News, the Trump campaign has paid Giles-Parscale, a San Antonio-based design firm, nearly $2 million to work on the campaign’s website between May 15, 2015 and April 29, 2016. The same article quotes Donald Trump’s son Eric, who in 2013 said “Giles-Parscale is a true class act in every regard and one of the best in the business.” Brad Parscale, the firm’s President, has also tweeted a year ago that donaldjtrump.com is “handling nearly 10K requests a sec with ease.”

Update: Giles-Parscale apparently used a third party solution for the campaign donation page.

Please Don’t Try This at Home

Just because it’s technically possible, it doesn’t mean that you should actually do it.

The author will most likely NOT accept your pull request spam (he doesn’t even live in the U.S.), and you should definitely NOT send a pull request, as it’s just wrong and has serious consequences (Trump campaign will probably sue you, for the start). And it’ll be irrelevant after Trump’s team patches their code to use their own server to load JavaScript assets (I’ll update this post if that happens — I expect it to happen soon, as some people have already tweeted this article to Trump’s web team).

But what I’m trying to say is this: Don’t load JS assets directly from GitHub pages, especially if you’re running for President of the United States. And especially on your campaign donation site, where your visitors submit their private information, as the information can easily be accessed, intercepted, and transmitted elsewhere by injected JS code.

Trump claims that he can “MAKE AMERICA SAFE AGAIN,” but his supporters’ privacy is not very safe as of writing. A tremendous risk for identity theft — Sad!

Tweets (Before they patched it)

From the author of jQuery-Mask-Plugin:

Tweets (AFTER they patched it)

A reporter Blake Montgomery (disclaimer: Blake is my colleague) has interviewed Igor, the author of jQuery-Mask-Plugin:

Igor’s explanation for not accepting PR’s:

For the Record…