A bug WIRED discovered in True the Vote's VoteAlert app revealed user information -- and an election worker who wrote about carrying out an illegal voter-suppression scheme.
An app developed by the right-wing nonprofit True the Vote to crowdsource claims of voter fraud contained a security flaw that exposed the email addresses of all users who posted or commented on the platform, along with other information.
The vulnerability, which has since been patched, exposed a California election officer who used the app to post about her racist and illegal scheme to demand IDs from certain voters based on perceived citizenship status. California does not require voters to show identification in most cases. Election officials are now investigating the incident, WIRED has learned.
The app, VoteAlert, is the latest initiative from True the Vote, a Texas-based nonprofit founded by Catherine Engelbrecht, a once-fringe right-wing figure who helped to mainstream the modern election denial movement. Known for promoting election conspiracy theories without substantiating evidence, the organization has repeatedly touted technology to legitimize its claims of widespread voter fraud, even though it has refused to present proof when challenged.
WIRED discovered the data exposure while reviewing VoteAlert's public-facing code. When loading new posts, VoteAlert inadvertently returned the email addresses of users who submitted reports or comments, making them visible to anyone who inspected the site's source code.
True the Vote did not directly address specific questions about the data exposure, content posted to the app, or the likely election official using the tool to post about their illegal scheme to check citizenship status. Instead, a spokesperson attributed the leak to an issue with an infinite scroll feature introduced over the weekend, which they said "temporarily affected the configuration." When WIRED pointed out that the exposure had been ongoing for several weeks, True the Vote did not respond further. The issue has since been resolved, and emails are no longer visible.
Prior to being patched, the flaw exposed at least 146 user email addresses of people who posted claims of voter fraud and commented on the site. WIRED's analysis of the app's content revealed 186 user-submitted reports of fraud and more than 200 more comments left on those reports, suggesting that the app has a relatively small user base. However, for these niche users, VoteAlert has become a hub for posting unverifiable and misleading claims about supposed election irregularities.
In one claim debunked by the New York Times, a user alleged that a Dominion voting machine displayed mismatched "public" and "private" vote counters -- a feature Dominion says does not exist. Another post, now deleted, claimed a bake sale at a Delaware polling place was intended to sway votes, a potential violation of election law. ProPublica and Wisconsin Watch later reported that the photo included with the post was at least seven years old.