You Could’ve Submitted a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. Here’s How.

7 min readAug 18, 2016

Update (Aug 2019): It’s now 3 years since this post was published. Now that the US presidential election cycle is back again, I wanted to make this clear: if I spotted something like this again now, I would choose to do responsible disclosure, instead of doing full disclosure as I did on this article. Responsible disclosure v.s. full disclosure is a much-debated topic, and I had a different opinion on this 3 years ago.

My rationale for doing full disclosure back then was: (1) by making it public, it will force the Trump campaign’s web managers to act quickly; (2) the public’s eye will prevent the owner of the repo from secretly taking a malicious action (this is debatable), and (3) it will raise awareness for front-end security. At the time, I thought these reasons would justify choosing full disclosure over responsible disclosure. In the end, the security hole was fixed within 2.5 hours, and no actual damage was done besides bad PR for the Trump campaign. Still, I think doing responsible disclosure would have been, well, a more responsible way of handling this situation.

If anyone is looking for a well-handled case of responsible disclosure, look no further than this article about Zoom’s security vulnerability:

Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

Vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The…

medium.com

MAJOR UPDATE: I published this article on Aug 18, 2016 10:15am PDT, but at 12:45pm PDT I confirmed that the Trump campaign had applied a fix to its site and removed the vulnerable line of code, so what I wrote earlier is no longer relevant. But you can still read my original post below, as I think it’s a good security lesson for all of us developers. I have also captured a screenshot of the original source code on Google’s cache here (from Aug 14), if anyone’s interested.

UPDATE TWO: Several popular news sites have covered this blog post in ways that are easier to understand for non-coders:

Trump’s campaign donation website used open-source code sloppily, risking ridicule and worse (Quartz: Tweet / FB Post)
A Simple Coding Mistake Left Donald Trump’s Website Open to All Kinds of Chaos (Popular Mechanics: Tweet / FB Post)
Donald Trump’s Donation Website Was Easily Hackable (NYMag: Tweet / FB Post)

Original Article (This will no longer work, but I bet you’ll still enjoy reading it, especially if you’re technical):

You Can Submit a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. Here’s How.

Today (Aug 18, 2016 5am PDT) I was looking at Donald Trump’s campaign donation website, available at https://secure.donaldjtrump.com/donate-homepage.

Naturally as a software engineer, I decided to examine its source code. Then I found this line:

It’s loading a JS file from GitHub pages. Full source code screenshot can be found here.

The page is loading a JavaScript file directly from a page hosted on GitHub pages, (hence the github.io domain) and GitHub pages serves files directly from the corresponding GitHub repository’s gh-pages branch. If the file on GitHub gets modified somehow, the changes will be reflected on Trump’s site, usually in under 30 seconds.

In this case, the repository is jQuery-Mask-Plugin, a piece of code that enhances the user experience of submitting a form. And this is the JavaScript code that’s being served on Trump’s site: https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js

https://github.com/igorescobar/jQuery-Mask-Plugin/blob/gh-pages/js/jquery.mask.min.js

Because this is a public GitHub repository, anyone can (technically) submit a pull request on this JavaScript file to the author Igor Escobar, a full stack developer based in Portugal. If he accepts your pull request, then your JavaScript code, whatever it contains, will get injected to Trump’s campaign donation website immediately.

Potential Attack Idea

For instance, you might be able to inject the following JavaScript code:

if (location.host === 'secure.donaldjtrump.com') {
  location = 'http://hillaryclinton.com/'
}

If that code gets injected, every person who visits Donald Trump’s campaign donation page will now get redirected to Clinton’s website. The above code won’t affect other users of jQuery-Mask-Plugin, because of the if (location.host ===…) check which ensures that the redirect code only runs on Trump’s site.

The following GIF demonstrates an injection of the above JavaScript code by simulating the same effect using Chrome Devtools. You can see that you’ll get redirected to Clinton’s site immediately when the code is executed.

Injecting JS code to redirect Trump supporters to Clinton’s site.

To submit a pull request to the JS code loaded on Trump’s site, you can go to this page: https://github.com/igorescobar/jQuery-Mask-Plugin/edit/gh-pages/js/jquery.mask.min.js and add the code as shown on this GIF:

If the author accepts this pull request (which requires just a click on a button), then within 30 seconds, the code will go live on Trump’s site. Every person trying to donate to Trump will now get redirected to Hillary’s site. Trump’s digital marketing team will need to MAKE THEIR SITE WORK AGAIN. It’s all up to the will of one developer in Portugal.

Disclaimer: I didn’t actually submit the above pull request —I never clicked the “Propose file change” button.

More Attack Ideas

You can do more fun things by injecting custom JS code. For instance, this code:

if (location.host === ‘secure.donaldjtrump.com’) {
  document
    .querySelector(‘.donation-container’)
    .style[‘background-image’] = ‘url(“https://cloud.githubusercontent.com/assets/992008/17785065/192ea49c-6534-11e6-9ab1-d3ac6b4894cb.jpg")'
}

Will change the page background like this:

Image taken from here: http://www.eater.com/2016/5/13/11673108/trump-putin-kiss-street-art

License

Just FYI, jQuery-Mask-Plugin is published under The MIT License, which states:

The software is provided “as is”, without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the authors or copyright holders be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the software or the use or other dealings in the software.

Side Note: Who’s Behind Trump’s Site

According to San Antonio Express News, the Trump campaign has paid Giles-Parscale, a San Antonio-based design firm, nearly $2 million to work on the campaign’s website between May 15, 2015 and April 29, 2016. The same article quotes Donald Trump’s son Eric, who in 2013 said “Giles-Parscale is a true class act in every regard and one of the best in the business.” Brad Parscale, the firm’s President, has also tweeted a year ago that donaldjtrump.com is “handling nearly 10K requests a sec with ease.”

Update: Giles-Parscale apparently used a third party solution for the campaign donation page.

Please Don’t Try This at Home

Just because it’s technically possible, it doesn’t mean that you should actually do it.

The author will most likely NOT accept your pull request spam (he doesn’t even live in the U.S.), and you should definitely NOT send a pull request, as it’s just wrong and has serious consequences (Trump campaign will probably sue you, for the start). And it’ll be irrelevant after Trump’s team patches their code to use their own server to load JavaScript assets (I’ll update this post if that happens — I expect it to happen soon, as some people have already tweeted this article to Trump’s web team).

But what I’m trying to say is this: Don’t load JS assets directly from GitHub pages, especially if you’re running for President of the United States. And especially on your campaign donation site, where your visitors submit their private information, as the information can easily be accessed, intercepted, and transmitted elsewhere by injected JS code.

Trump claims that he can “MAKE AMERICA SAFE AGAIN,” but his supporters’ privacy is not very safe as of writing. A tremendous risk for identity theft — Sad!

Tweets (Before they patched it)

Tweets (AFTER they patched it)

A reporter Blake Montgomery (disclaimer: Blake is my colleague) has interviewed Igor, the author of jQuery-Mask-Plugin:

Igor’s explanation for not accepting PR’s:

For the Record…

Here’s the screenshot of the original, vulnerable source code on Google’s cache, if anyone’s interested.
Finally, my fellow developer Bob Ippolito made an excellent point:

I’ve written a follow-up piece on why I was looking at the source code on Trump’s site in the first place.
Igor has written a blog post: I’ve had the chance to troll Donald Trump. But I didn’t.