Security
Headlines
HeadlinesLatestCVEs

Headline

Flaw in Right-Wing ‘Election Integrity’ App Exposes Voter-Suppression Plan and User Data

A bug that WIRED discovered in True the Vote’s VoteAlert app revealed user information—and an election worker who wrote about carrying out an illegal voter-suppression scheme.

Wired
#vulnerability#web#mac#git

An app developed by the right-wing nonprofit True the Vote to crowdsource claims of voter fraud contained a security flaw that exposed the email addresses of all users who posted or commented on the platform, along with other information.

The vulnerability, which has since been patched, exposed a California election officer who used the app to post about her racist and illegal scheme to demand IDs from certain voters based on perceived citizenship status. California does not require voters to show identification in most cases. Election officials are now investigating the incident, WIRED has learned.

The app, VoteAlert, is the latest initiative from True the Vote, a Texas-based nonprofit founded by Catherine Engelbrecht, a once-fringe right-wing figure who helped to mainstream the modern election denial movement. Known for promoting election conspiracy theories without substantiating evidence, the organization has repeatedly touted technology to legitimize its claims of widespread voter fraud, even though it has refused to present proof when challenged.

WIRED discovered the data exposure while reviewing VoteAlert’s public-facing code. When loading new posts, VoteAlert inadvertently returned the email addresses of users who submitted reports or comments, making them visible to anyone who inspected the site’s source code.

True the Vote did not directly address specific questions about the data exposure, content posted to the app, or the likely election official using the tool to post about their illegal scheme to check citizenship status. Instead, a spokesperson attributed the leak to an issue with an infinite scroll feature introduced over the weekend, which they said “temporarily affected the configuration.” When WIRED pointed out that the exposure had been ongoing for several weeks, True the Vote did not respond further. The issue has since been resolved, and emails are no longer visible.

Prior to being patched, the flaw exposed at least 146 user email addresses of people who posted claims of voter fraud and commented on the site. WIRED’s analysis of the app’s content revealed 186 user-submitted reports of fraud and more than 200 more comments left on those reports, suggesting that the app has a relatively small user base. However, for these niche users, VoteAlert has become a hub for posting unverifiable and misleading claims about supposed election irregularities.

In one claim debunked by the New York Times, a user alleged that a Dominion voting machine displayed mismatched “public” and “private” vote counters—a feature Dominion says does not exist. Another post, now deleted, claimed a bake sale at a Delaware polling place was intended to sway votes, a potential violation of election law. ProPublica and Wisconsin Watch later reported that the photo included with the post was at least seven years old.

In a since-deleted VoteAlert post reviewed by WIRED, a user wrote: “I’m probably going to be fired for this but I was hired by the Riverside County Registrar of Voters as an Election Officer in Hemet, CA. Since I’m in charge at this polling center, I’m asking for citizenship ID of anyone that looks suspiciously like they’re not here legally.”

The post went on to suggest that the Riverside County Sheriff’s Office wouldn’t intervene in her scheme. “It’s just a drop in the bucket but I’m going to do my part to stop election fraud,” she wrote. “Wish me luck🙏”

WIRED traced the email associated with the post to a California woman who describes herself as a person who is “FED UP with all the bullsh*t,” according to one app profile. “You’re only getting the hard, smack-your-face TRUTH from me.”

The woman, whose name WIRED is not publishing because it was revealed through a security flaw, did not respond to requests for comment.

In a phone call, Riverside County public information officer Elizabeth Florer confirmed that the county had hired an election worker matching WIRED’s findings, and committed to ensuring all election laws are followed, confirming that the county is investigating the incident. Florer added that additional personnel have now been deployed to the Hemet polling center to provide oversight and ensure strict compliance with election laws.

True the Vote is perhaps best known for its role in the widely debunked film 2,000 Mules. The film relied heavily on the group’s research to allege that “ballot mules” were paid to fraudulently collect and deliver ballots for Democratic candidates in key swing states during the 2020 election. However, an investigation by the Associated Press found that the film was based on flawed and improper analysis of cell phone location data. After a defamation lawsuit, the film’s publishers, Salem Media Group, retracted the film, removing it from its platforms, and said there wouldn’t be any future distribution of the book. They also issued an apology to a voter falsely portrayed as illegally voting in the film.

Undeterred, in 2022 True the Vote launched a web app called IV3, which it claimed led to the challenge of hundreds of thousands of voter registrations. A WIRED analysis found that the app’s methodology was unreliable and prone to error, with experts warning that IV3 weaponizes public data and is more likely to remove eligible voters from the rolls than to detect widespread fraud—a problem they note is virtually nonexistent in the US.

In records obtained by the nonprofit group American Oversight and shared with WIRED, in May 2024, an individual with the username “Totes Legit Votes” apparently used IV3 to challenge the eligibility of 5,000 people in Florida.

True the Vote has struggled to provide courts with meaningful evidence to substantiate its claims of widespread voter fraud.

In 2021, the group filed a complaint with Georgia’s secretary of state, alleging widespread illegal ballot stuffing in Atlanta during the 2020 election and subsequent runoff. However, when ordered by a judge to provide evidence, True the Vote admitted it had no names or documentation to support its claims.

The following year, court marshals arrested True the Vote founder Engelbrecht and board member Gregg Phillips after they defied a court order to produce evidence in a defamation case brought by the software company Konnech. The lawsuit accused True the Vote of falsely claiming that Konnech stored US election workers’ personal information on an unsecured server in China.

You can follow all of WIRED’s 2024 presidential election coverage here.

Wired: Latest News

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist