Canadian Firm Linked to Cambridge Analytica Exposed Source Code
Source code belonging to Canada-based digital advertising and software development company AggregateIQ has been found by researchers on an unprotected domain. The exposed files appear to confirm reports of a connection between AggregateIQ and Cambridge Analytica, the controversial firm caught in the recent Facebook data scandal.
On March 20, Chris Vickery of cyber risk company UpGuard stumbled upon an AggregateIQ subdomain hosting source code for the company’s tools. The files, stored using a custom version of the code repository GitLab, were accessible simply by providing an email address.
The exposed information included the source code of tools designed for organizing information on a large number of individuals, including how they are influenced by ads, and tracking their online activities. The files also contained credentials that may have allowed malicious actors to launch damaging attacks, UpGuard said.
The nature of the exposed code is not surprising considering that the firm is said to have developed tools used in political campaigns around the world, including in the United States and United Kingdom.
AggregateIQ has been linked by the press and a whistleblower to Cambridge Analytica, a British political consulting and communications firm said to be involved in the presidential campaigns of Donald Trump and Ted Cruz, and the Brexit “Vote Leave” campaign.
Cambridge Analytica recently came under fire after it was discovered that it had collected information from 50 million Facebook users’ profiles and used it to create software designed to predict and influence voters. Facebook has suspended the company’s account after news broke, but the social media giant has drawn a lot of criticism, both from customers and authorities.
According to some reports, AggregateIQ was originally launched with the goal of helping Cambridge Analytica and its parent company SCL Group. In a statement published on its website over the weekend, AggregateIQ denied reports that it’s part of Cambridge Analytica or SCL. It has also denied signing any contracts with the British firm and being involved in any illegal activity.
However, there appears to be some evidence that Cambridge Analytica owns AggregateIQ’s intellectual property, and the files discovered by UpGuard also seem to show a connection.
For example, two of the AggregateIQ projects whose source code was exposed contained the string “Ripon,” which is the name of Cambridge Analytica’s platform. The code also included a piece of text that may have been used in phone calls made by Ted Cruz supporters during his presidential campaign.
Researchers also noticed that one of the user accounts mentioned in the exposed files was named “SCL,” which could be a reference to Cambridge Analytica’s parent company.
“Taken in full, it remains unclear why what resembles a version of the app Cambridge Analytica promised would be ‘revolutionary’ for the Cruz campaign would be found in the development repository of AggregateIQ,” said UpGuard, which plans on publishing follow-up reports on this story.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.