I'm making this one public and not doing responsible disclosure due to the timely importance of the issue. Donald Trump is sticking with his voter fraud claims and cited his source in a tweet this morning: "Gregg Phillips", so I went ahead and looked into the issue. Gregg Phillips is behind the "VoteStand" application for iOS and Android and claims he has data from the use of that app that proves voter fraud. The problem? The application has no security whatsoever. It doesn't strongly authenticate the identity of any user who uses it and worse, everything it does on the Internet is in clear text. Here's a registration action captured on the network:

POST http://votestand.firstandthird.com/api/user?apikey=v0t3st4nd HTTP/1.1

Host: votestand.firstandthird.com

Content-Type: application/json;charset=UTF-8

Origin: file://

Connection: keep-alive

Proxy-Connection: keep-alive

Accept: application/json, text/plain, /

User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Mobile/14B100 (4297108912)

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Content-Length: 36

{"name":"foo","email":"[email protected]"}

In short this application ticks none of the corners of the confidentiality, integrity, or availability (CIA) triad and any data which comes from the app cannot be trusted. Further, every user who downloaded it, registered, and used it should expect that their information could have been exposed and due to the nature of the flaw there is no way that Gregg Phillips can say it wasn't because the application itself suffers from a complete lack of security controls.