Democratic Campaign Contributions

ActBlue CSRF Security Vulnerability

Responsible Disclosure


released Wed Jun 15 21:00:00 UTC 2016
last updated Sat Jun 18 06:20:49 UTC 2016

Introduction
Proof of Concept
Explanation
Potential Attacks
Recommendation to donors
Recommendation to ActBlue
Disclosure

Introduction. ActBlue is a non-profit that organizes fundraising efforts for Democratic causes; so far they have facilitated over a billion dollars in donations. This page details a security vulnerability in the ActBlue donation system.

If you agree this is a critical vulnerability after reading, please tweet and e-mail them at demanding a hotfix.

tl;dr This vulnerability affects over three million individuals who have donated to a Democratic cause using ActBlue Express Lane. Specifically, the ActBlue donation system can be exploited to appropriate false donations towards either the Hillary Clinton or Bernie Sanders campaigns. Using cross-site request forgery, previous donors can be tricked into donating to other Democratic candidates or causes.

Sketch of vulnerabilty ActBlue's Express Lane feature allows for one-click donation links, but they aren't protected by CSRF tokens, so the same link works for everyone. If you coerce someone to go to the page, then they automatically donate due to the JavaScript on the donation portal.

Proof of Concept

Navigating to the hyperlinks in this red box may charge your credit card without your consent. Before continuing, read the entire HTML source code.

(0) Ensure that cookies are enabled. This exploit has been tested on the latest versions of Firefox and Chrome.

(1) Skip this step if you're already using Express Lane and are signed in. Go to only one of the following URLs, and follow the instructions and donate $1. Save your information with Express Lane when prompted.

(2) In the same browser session, click the following links to donate to the respective candidate. You don't have to do anything after clicking, just wait. Note that both these links work, regardless of which link you went to in (1). You should get to a page thanking you for your contribution.

(3) Check your credit card statement. You may have to wait a while for the charges to appear. If there is a $2 charge, that means the CSRF from the last step worked successfully. You can also check your .

If you accidentally donated and wish to reverse the charges, contact ActBlue at .

Explanation. This attack makes use of the ActBlue Express Lane feature, which allows people who have saved their information with ActBlue previously to donate again with a single click. Due to lack of CSRF protection (details below) the same link works for everyone who is enrolled in Express Lane.

Note that it is interpreting the JavaScript on the website that causes the donation, not merely the GET request itself. So, (as far as I can tell), it wouldn't be possible to include the link in an auto-loading tag or similar.

Potential attacks. This section is a thought experiment intended to show that this vulnerability is dangerous.

Visit an internet community of Democrats, and submit a link to a personal webpage redirecting to a news article. When the post becomes popular, change the redirect to link to one of the URLs in (2). One can coerce hundreds or thousands of Democrats supporting a particular candidate to donate to an opposing Democrat. A large majority might realize that they've been tricked and will hurriedly exit the tab or press the newly-added (and miniscule) "Cancel" button, or perhaps demand a refund from ActBlue if they did end up donating. But there will always be a sizeable portion that will be confused, not knowing what is occurring. The landing simply reads "Thanks for donating." - a reasonable reaction is to think this is a page referencing an earlier donation, especially when the original link purportedly had nothing to do with donation.

A stealthy version of the above could use JavaScript to automatically open and close the donation portal (example). This could be combined with waiting until the user is idle to launch the attack.

While some users might have the time to request refunds, many don't, especially since these attacks can be repeated as long as ActBlue does not fix the vulnerability. If ActBlue were able to detect which users had been tricked into donating, then the above proof of concept would not work.

Finally, there may be other ways to coerce users to visit a website and interpret the JavaScript on the Express Lane donation site without them knowing. For example, even though ActBlue sets a X-Frame-Options: sameorigin header, Internet Explorer versions before 8 do not respect the header (I have not tested this). This could be used for a stealthy attack.

Recommendation to donors. If you have saved your credit card information with ActBlue Express Lane, remove it at your (click "Edit your Express Donor profile"). Then, check your credit card statement and for possible fraud.

Recommendations to ActBlue developers. In the case that the one-click donation feature is absolutely critical, the clear option is to add a unique CSRF token to each URL when sending out e-mails. Note that this is still insecure: anyone that can inspect browser traffic (for example someone with access to your browser history) will know the CSRF token. Further, presumably these tokens would need to be disclosed to the offices of the candidates who are running e-mail campaigns processing donations with ActBlue. Since these campaigns are partial to a specific candidate, this creates a conflict of interest.

However, even this simple protection drastically reduces the probability of successful attack, while still making it possible for ActBlue to provide one-click donation in the majority of cases.

I believe that a political organization like ActBlue must take all possible security measures, even at the (slight) inconvenience of donors. I recommend the ActBlue team add a simple "Confirm" button before the transaction takes place, sending a POST request with a CSRF token. This solution also applies to the first option in cases where providing a unique token is unfeasible, for example with public Facebook posts.

Either of these two solutions would be vastly better than what is currently implemented.

Disclosure. I first noticed this vulnerability on May 10th, 2016, and reported it to on May 11th, 2016. Below are a few lines from the e-mails I received in response.

"This feature (Express Lane) is intentional, for the convenience of campaigns that we work closely with. Unfortunately I can't get more into the business side of things but we are aware of the potential for misuse and monitor it closely.
...
"I assure you that we understand the technical components of that risk.
...
"I can assure you that our decisions are based on what will result in Democratic campaigns being able to most effectively raise money. We're a non-profit and that's our mission.
...
"We don't have a confirmation page because frequent donors want as little friction as possible in the giving process.
...
"The ultimate backstop is our generous refund policy. If anyone ever makes a donation in error, we're beyond eager to refund them. Part of being a political nonprofit means we're in this for the long game. We want donors to have the best experience possible."

This proof of concept suggests that the monitoring is insufficient. It's good that ActBlue offers refunds, but this isn't always effective, as pointed out earlier. After three weeks (and only after I said I would be disclosing publicly), ActBlue acknowledged that this was a "potential vector for mischief," and proposed having a cancel button on the donation page. I replied noting the solution's lack of effectiveness. To ActBlue's credit, the cancel button has been implemented.

ActBlue replied that they were "tossing around some other ideas," and on June 2nd, 2016, I told them I would be releasing on June 14th at 5pm EST, 34 days after I first reported it. They have since been ignoring my e-mails.

If you agree this is a critical vulnerability after, please tweet and e-mail them at demanding a hotfix.