The donation site used by truckers in Ottawa who are currently protesting against national vaccine mandates has fixed a security lapse that exposed passports and driver licenses of donors.
The Boston, Massachusetts-based donation service GiveSendGo became the primary donation service for the so-called “Freedom Convoy” last week after GoFundMe froze millions of dollars in donations, citing police reports of violence and harassment in the city.
The protest, which began in January, saw thousands of protesters and truckers descend on Canada’s capital to oppose mandatory COVID-19 vaccinations, paralyzing the streets with snarling traffic. A fundraising page on GoFundMe reached about $7.9 million in donations before the crowdsourcing giant stepped in to block the campaign, prompting the fundraising effort to move to GiveSendGo, which publicly declared its support for the protest. According to a press release, GiveSendGo said it had processed more than $4.5 million in donations for the Freedom Convoy protesters during its first day of the company hosting the campaign.
TechCrunch was tipped off to the data lapse after a person working in the security space found an exposed Amazon-hosted S3 bucket containing over 50 gigabytes of files, including passports and driver licenses that were collected during the donation process.
The researcher said they found the web address for the exposed bucket by viewing the source code of the Freedom Convoy’s webpage on GiveSendGo.
S3 buckets are used for storing files, documents or even entire websites in Amazon’s cloud but are set to private by default, and require a multi-step process before a bucket’s contents can be made public for anyone to access.
The exposed bucket had over a thousand photos and scans of passports and driver licenses uploaded since February 4, when the Freedom Convoy’s page was first set up on GiveSendGo. The filenames suggest that the identity documents were uploaded during the payments process, which some financial institutions require before they can process a person’s payment or donation.
TechCrunch contacted GiveSendGo co-founder Jacob Wells with details of the exposed bucket on Tuesday. The bucket was secured a short time later, but Wells did not respond to our questions, including if GiveSendGo planned on informing about the security lapse those whose information was exposed.
It’s not known for exactly how long the bucket was left exposed, but a text file left behind by an unnamed security researcher, dated September 2018, warned that the bucket was “not properly configured” which can have “dangerous security implications.”