While doing some research for a potential client, I stumbled across a website left dangling by the Obama 2012 presidential campaign… and took it.

During the 2012 Election…

The Obama campaign team was able to move very quickly to execute a plan that, in every way, beat the pants off of any other (digital or otherwise) campaign effort in history. They built a massive database of information and developed the right tools to motivate volunteers and understand the results. They did this by making full use of the Amazon Web Services platform and many of its tools to power mobile apps, microsites, internal database tools for reporting – and probably a thousand more angles they haven’t talked about publicly.

They used the S3 (Simple Storage Service) to host most, if not all, of the public-facing parts of the website. S3 is fast, reliable, and you can use tools like jekyll to generate pseudo-dynamic sites that won’t go down under crazy spikes in traffic. The thing that separates your average website from something like a political website is that your average site probably gets consistent traffic and isn’t made to scale to millions of visits without warning. A political website must be able to handle those spikes. Amazon and S3 are the perfect tools to deal with that.

How S3-hosted sites work

To host a site on S3, all you have to do is point DNS records from a domain to Amazon’s servers, then set up a “bucket” (folder) with instructions that say “this bucket is allowed to host files as if it were a website.” Then you move files into that folder, and as if by magic, your website is online. On S3, the bucket naming space is global and no two accounts across the entire Amazon space can have the same bucket name. This is great, because we can host our site from the bucket called “madebymarket.com” and nobody can create a bucket with that name. Amazon gets a web request for www.madebymarket.com and goes “oh, I have a web bucket for that, show the site from there.” It is pretty great.

The side-hacking of Romneytaxplan.com

During their talk at re:Invent, they mentioned romneytaxplan.com as one of their more popular microsites and a great example of how a site can get millions of visits all at once and stay up, because of the durability of S3. I wanted to see if they left the site up, and got a rather surprising error…

"bucket does not exist."

The “bucket does not exist” error means a few important things.

1. They still own the domain and left the DNS records pointing to Amazon
2. They un-published the website by simply removing the bucket & its files
3. That bucket name is now available… for anyone to create in their own account.

I quickly created a bucket in my own account called “romneytaxplan.com” and hooked up the necessary “this is a website” policy to the bucket, and uploaded some files:

These little microsites probably have no value to them anymore, but they did get millions of visits and still retain thousands of links across the web. If one of their microsites are open to this, I bet the other sites they tossed online are open to it as well. It’d be easy enough to find out and put up spam/ad/virus junk and they’d probably never know about it.

note: I’m using the term “side-hack” here because I simply slid into the space where it expected a site to exist. I didn’t “hack” anyone’s accounts or systems, change anyone’s settings, etc.

Leaving the gate open

The moral of this story is that if the most successful political media campaign of all time forgets to “close the gate,” the chances are pretty high that others have done the same. I’ve tried to reach out to a couple former members of the Obama For America team to tell them about this.

update: I’ve been in contact with one former member of the OFA team, and it looks like these microsites are actually under DNC control, so I’m going to ping that direction about this issue. By this person’s estimate, there were probably hundreds of microsites during this time, so I wonder how many are floating out there, needing to be closed up.