US presidential candidate websites easy to hack, says report

"If our presidential candidates don't take security seriously, how can we expect anyone else to?" the report says.

The current US presidential candidates maybe versed in foreign policy, national security, education, healthcare, and defense. But on cybersecurity, nearly all of the top presidential candidates would fail, according to a new report.

Of the leading five candidates, Jeb Bush and Bernie Sanders were rated as having the worst protected campaign websites because they used unsecured and outdated WordPress installations that expose usernames and login pages.

Ben Carson, who is leading in the Republican polls, had the most secure site, the report said.

Cybersecurity, coupled with maintaining civil liberties and privacy, has been a relatively muted topic in the race to the White House so far, despite a number of hacks and data breaches, and the passing of a controversial data sharing bill, which critics have likened to a "surveillance bill by another name."

The bottom line? When a candidate shows they (or their staff) can't secure their own website, what message does it send to the American people?

Jonathan Lampe, a product manager at security group the InfoSec Institute who wrote the report, said in an email that any candidate for president "should take information security seriously."

"When hackers can potentially crash planes, cars and disrupt critical infrastructure, the issue becomes an existential threat to the society we live in," he said.

"If our presidential candidates don't take security seriously, how can we expect anyone else to?"

Lampe inspected the various sites by looking at the server, apps, and other trails to providers and services to determine the ways an attacker could target each site.

Hillary Clinton, whose private email server controversy continues to draw attention away from her policies, landed as a mid-level security rating, but stands as the most secure website for the Democratic candidates. But it's not without criticism. Lampe said the site was large and complex, which he said creates an attack surface that's greater than any other candidate.

Donald Trump, whose hotel chain suffered a system hack earlier this year, also runs WordPress, but is "partially locked down," said Lampe, who gave Trump's site a mid-level security rating for its mixed-bag of results. That's because the site's login page is exposed to the web, and uses some outdated and insecure software. But Trump's website goes a little further in obfuscating credit card data before it's encrypted and sent over the internet, whereas other candidates do not.

On the plus side, all of the leading five candidates used high-quality encryption (HTTPS) to secure their websites.

Lampe said did not receive any response from the candidates' teams about their sites' vulnerabilities.

We reached out to Sanders' and Bush's campaigns, and others, but did not hear back at the time of writing. If we do, we'll update the story.