An app developed by the right-wing nonprofit True the Vote to crowdsource claims of voter fraud contained a security flaw that exposed the email addresses of all users who posted or commented on the platform, along with other information.
The vulnerability, which has since been patched, exposed a California election officer who used the app to post about her racist and illegal scheme to demand IDs from certain voters based on perceived citizenship status. California does not require voters to show identification in most cases. Election officials are now investigating the incident, WIRED has learned.
The app, VoteAlert, is the latest initiative from True the Vote, a Texas-based nonprofit founded by Catherine Engelbrecht, a once-fringe right-wing figure who helped to mainstream the modern election denial movement. Known for promoting election conspiracy theories without substantiating evidence, the organization has repeatedly touted technology to legitimize its claims of widespread voter fraud, even though it has refused to present proof when challenged.
WIRED discovered the data exposure while reviewing VoteAlert’s public-facing code. When loading new posts, VoteAlert inadvertently returned the email addresses of users who submitted reports or comments, making them visible to anyone who inspected the site’s source code….
In a since-deleted VoteAlert post reviewed by WIRED, a user wrote: “I’m probably going to be fired for this but I was hired by the Riverside County Registrar of Voters as an Election Officer in Hemet, CA. Since I’m in charge at this polling center, I’m asking for citizenship ID of anyone that looks suspiciously like they’re not here legally.”
The post went on to suggest that the Riverside County Sheriff’s Office wouldn’t intervene in her scheme. “It’s just a drop in the bucket but I’m going to do my part to stop election fraud,” she wrote. “Wish me luck🙏”
WIRED traced the email associated with the post to a California woman who describes herself as a person who is “FED UP with all the bullsh*t,” according to one app profile. “You’re only getting the hard, smack-your-face TRUTH from me.”
The woman, whose name WIRED is not publishing because it was revealed through a security flaw, did not respond to requests for comment.
In a phone call, Riverside County public information officer Elizabeth Florer confirmed that the county had hired an election worker matching WIRED’s findings, and committed to ensuring all election laws are followed, confirming that the county is investigating the incident. Florer added that additional personnel have now been deployed to the Hemet polling center to provide oversight and ensure strict compliance with election laws.