“A Terrible Vulnerability”: Cybersecurity Researcher Discovers Yet Another Flaw in Georgia’s Voter Cancellation Portal – ProPublica
Investigative Journalism in the Public Interest
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up for Dispatches, a newsletter that spotlights wrongdoing around the country, to receive our stories in your inbox every week.
Until Monday, a new online portal run by the Georgia Secretary of State’s Office contained what experts describe as a serious security vulnerability that would have allowed anyone to submit a voter cancellation request for any Georgian. All that was required was a name, date of birth and county of residence — information easily discoverable for many people online.
The flaw was brought to the attention of ProPublica and Atlanta News First over the weekend by a cybersecurity researcher, Jason Parker. Parker, who uses they/them pronouns, said that after discovering it, they attempted to contact the Georgia Secretary of State’s Office. The office said it had no records of Parker’s attempts to reach out.
“It’s a terrible vulnerability to leave open, and it’s essential to be fixed,” Parker said.
The issue Parker exposed was “as bad as any voter cancellation bug could be” and “incredibly sloppy coding,” said Zach Edwards, a senior threat researcher at the cybersecurity firm Silent Push, who reviewed the flaw at the request of ProPublica. “It’s shocking to have one of these bugs occur on a serious website.” Edwards said that even a basic penetration test, in which outside experts vet the security of a website before its launch, “should have picked this up.”
ProPublica and Atlanta News First jointly alerted the Secretary of State’s Office to the vulnerability and held the publication of their articles until it was fixed.
“We have updated the process to include an error message letting the individual know their submission is incomplete and will not be processed,” Blake Evans, Georgia’s elections director, said in a statement from the Secretary of State’s Office.
In the days after the portal launched last Monday, The Associated Press and The Current each reported the existence of separate security vulnerabilities that exposed voters’ sensitive personal information, including the last four digits of their Social Security number and their full driver’s license number. The Secretary of State’s Office told the news organizations that it quickly fixed the portal. Democrats warned that the system could be abused, as right-wing activists have been challenging tens of thousands of voter registrations in a different process that a 2021 state law expanded. Over the weekend, ProPublica reported that users of the portal had unsuccessfully attempted to cancel the voter registrations of two prominent Republican officials, Secretary of State Brad Raffensperger and Rep. Marjorie Taylor Greene.
The flaw found by Parker was different from the two previously reported ones. This one would allow any user of the portal to bypass the screen that requires a driver’s license number and submit the cancellation request without it.
The Secretary of State “needs to consider this an all-hands-on-deck” moment “and hire multiple testing and security firms and stop relying on the public’s goodwill and pro bono security researchers to test the quality of their website,” Edwards said. “At this point, we should assume there are other subtle bugs that could have potentially serious impact.” Edwards said that it would have been easy for a malicious actor to automate cancellation requests to get around security measures built into the website and submit thousands of them.
In a video shared with ProPublica, Parker, who is moving from Georgia to another state, demonstrated how the registration cancellation tool could be exploited in roughly a minute. First, they entered their name, date of birth and county of residence to get past the website’s initial screening page. When the portal asked them for a driver’s license number, Parker right-clicked to inspect the browser’s HTML code — a basic option available to anyone — and deleted a few lines of code requiring them to submit their driver’s license number. Parker then hit submit. A window popped up stating that “Your cancellation request has been successfully submitted” and that county election workers would process the request within a week.
Parker said it took them less than two hours of poking around the website to find the vulnerability.
“Incomplete paper and online applications will not be accepted,” Evans said in the statement. (Parker’s cancellation request would have lacked a driver’s license number.) The Secretary of State’s Office did not respond to individual questions about what testing the portal underwent before launch, the system’s security procedures, what happened to Parker’s cancellation request and how the public could be sure of the portal’s security given the recent disclosures of security flaws.
Cybersecurity Researcher Shows Flaw With Georgia’s Voter Registration Cancellation Website
“The Secretary of State’s Office needs to do better,” said Marisa Pyle, the senior democracy defense manager for Georgia with All Voting is Local, a voting rights advocacy organization. “The state needs to be really intentional about how it rolls out these things. It needs to make sure they’re secure and provide their rationale for making them.”
Read More
Jake Braun, the author of a book on cybersecurity flaws in election systems and lecturer at the University of Chicago, said that there is a long history of elections-related websites suffering from easily exploitable security failures, including Russians hacking election infrastructure during the 2016 election and public-interest competitions in which participants breached replicas of state election websites in minutes. Online elections infrastructure, he said, “needs more standards and better standards.”
Edwards said that the portal’s vulnerability-plagued rollout showed the necessity of improving the vetting process.
“Georgia should step up and pass a law saying all new websites in which the public interacts with government documents should have an outside review,” Edwards said. The public “should expect” officials “did some due diligence.”
Do you have any information about the Georgia voter registration cancellation portal, voter challenges or anything voter-related that we should know? Contact reporter Doug Bock Clark by email at [email protected] and by phone or Signal at 678-243-0784. If you’re concerned about confidentiality, check out our advice on the most secure ways to share tips.
Filed under —
Doug Bock Clark is a reporter in ProPublica’s South unit. He investigates threats to democracy and abuses of power throughout the region.
“Eradicate climate change references”; only talk to conservative media; don’t leave a paper trail for watchdogs to discover. In a series of never-before-published videos, Project 2025 details how a second Trump administration would operate.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
The videos are part of an ongoing effort to recruit and train thousands of future conservative appointees. Despite Donald Trump’s efforts to disavow Project 2025, most of the speakers in the videos have previously worked for the former president.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
Days after Georgia Democrats warned that the state’s new online portal for canceling voter registrations could be abused, officials have confirmed misuse attempts — including efforts to cancel the registrations of prominent Republicans.
by Doug Bock Clark,
Some people said militant anti-abortion activist Matthew Trewhella was a ’90s figure who’s no longer relevant, but our reporting shows he’s influencing policies, bills and movements today.
by Phoebe Petrovic, Wisconsin Watch,
Local Reporting Network
The deal with energy magnate James E. Davison illustrates how Trump’s stake in the Truth Social company, which makes up a majority of his net worth, presents conflicts of interest.
by Justin Elliott, Robert Faturechi and Alex Mierjeski,
The little-known charity is backed by famous conservative donors, including the families behind Hobby Lobby and Uline. It’s spending millions to make a big political push for this election — but it may be violating the law.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
“Eradicate climate change references”; only talk to conservative media; don’t leave a paper trail for watchdogs to discover. In a series of never-before-published videos, Project 2025 details how a second Trump administration would operate.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
The videos are part of an ongoing effort to recruit and train thousands of future conservative appointees. Despite Donald Trump’s efforts to disavow Project 2025, most of the speakers in the videos have previously worked for the former president.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
A judge ruled that a law passed by Indiana’s GOP supermajority that tried to retroactively prevent cities from suing gun manufacturers goes too far. The decision allows one city’s decadeslong suit against gunmakers to continue.
by Vernal Coleman,
The community of Cairo, Illinois, once a food desert, welcomed its new market last year with balloons and cheers. But the store is struggling — exposing problems with the programs set up to help.
by Molly Parker, Capitol News Illinois, photography by Julia Rendleman,
Local Reporting Network
High prices offered by emergency housing programs have encouraged property owners to chase the money. Housing advocates say state officials haven’t moved aggressively enough to crack down on predatory behavior.
by Nick Grube, Honolulu Civil Beat,
Local Reporting Network
© Copyright 2024 Pro Publica Inc.
Creative Commons License (CC BY-NC-ND 3.0)
Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:
undefined
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up for Dispatches, a newsletter that spotlights wrongdoing around the country, to receive our stories in your inbox every week.
Until Monday, a new online portal run by the Georgia Secretary of State’s Office contained what experts describe as a serious security vulnerability that would have allowed anyone to submit a voter cancellation request for any Georgian. All that was required was a name, date of birth and county of residence — information easily discoverable for many people online.
The flaw was brought to the attention of ProPublica and Atlanta News First over the weekend by a cybersecurity researcher, Jason Parker. Parker, who uses they/them pronouns, said that after discovering it, they attempted to contact the Georgia Secretary of State’s Office. The office said it had no records of Parker’s attempts to reach out.
“It’s a terrible vulnerability to leave open, and it’s essential to be fixed,” Parker said.
The issue Parker exposed was “as bad as any voter cancellation bug could be” and “incredibly sloppy coding,” said Zach Edwards, a senior threat researcher at the cybersecurity firm Silent Push, who reviewed the flaw at the request of ProPublica. “It’s shocking to have one of these bugs occur on a serious website.” Edwards said that even a basic penetration test, in which outside experts vet the security of a website before its launch, “should have picked this up.”
ProPublica and Atlanta News First jointly alerted the Secretary of State’s Office to the vulnerability and held the publication of their articles until it was fixed.
“We have updated the process to include an error message letting the individual know their submission is incomplete and will not be processed,” Blake Evans, Georgia’s elections director, said in a statement from the Secretary of State’s Office.
In the days after the portal launched last Monday, The Associated Press and The Current each reported the existence of separate security vulnerabilities that exposed voters’ sensitive personal information, including the last four digits of their Social Security number and their full driver’s license number. The Secretary of State’s Office told the news organizations that it quickly fixed the portal. Democrats warned that the system could be abused, as right-wing activists have been challenging tens of thousands of voter registrations in a different process that a 2021 state law expanded. Over the weekend, ProPublica reported that users of the portal had unsuccessfully attempted to cancel the voter registrations of two prominent Republican officials, Secretary of State Brad Raffensperger and Rep. Marjorie Taylor Greene.
The flaw found by Parker was different from the two previously reported ones. This one would allow any user of the portal to bypass the screen that requires a driver’s license number and submit the cancellation request without it.
The Secretary of State “needs to consider this an all-hands-on-deck” moment “and hire multiple testing and security firms and stop relying on the public’s goodwill and pro bono security researchers to test the quality of their website,” Edwards said. “At this point, we should assume there are other subtle bugs that could have potentially serious impact.” Edwards said that it would have been easy for a malicious actor to automate cancellation requests to get around security measures built into the website and submit thousands of them.
In a video shared with ProPublica, Parker, who is moving from Georgia to another state, demonstrated how the registration cancellation tool could be exploited in roughly a minute. First, they entered their name, date of birth and county of residence to get past the website’s initial screening page. When the portal asked them for a driver’s license number, Parker right-clicked to inspect the browser’s HTML code — a basic option available to anyone — and deleted a few lines of code requiring them to submit their driver’s license number. Parker then hit submit. A window popped up stating that “Your cancellation request has been successfully submitted” and that county election workers would process the request within a week.
Parker said it took them less than two hours of poking around the website to find the vulnerability.
“Incomplete paper and online applications will not be accepted,” Evans said in the statement. (Parker’s cancellation request would have lacked a driver’s license number.) The Secretary of State’s Office did not respond to individual questions about what testing the portal underwent before launch, the system’s security procedures, what happened to Parker’s cancellation request and how the public could be sure of the portal’s security given the recent disclosures of security flaws.
Cybersecurity Researcher Shows Flaw With Georgia’s Voter Registration Cancellation Website
“The Secretary of State’s Office needs to do better,” said Marisa Pyle, the senior democracy defense manager for Georgia with All Voting is Local, a voting rights advocacy organization. “The state needs to be really intentional about how it rolls out these things. It needs to make sure they’re secure and provide their rationale for making them.”
Read More
Jake Braun, the author of a book on cybersecurity flaws in election systems and lecturer at the University of Chicago, said that there is a long history of elections-related websites suffering from easily exploitable security failures, including Russians hacking election infrastructure during the 2016 election and public-interest competitions in which participants breached replicas of state election websites in minutes. Online elections infrastructure, he said, “needs more standards and better standards.”
Edwards said that the portal’s vulnerability-plagued rollout showed the necessity of improving the vetting process.
“Georgia should step up and pass a law saying all new websites in which the public interacts with government documents should have an outside review,” Edwards said. The public “should expect” officials “did some due diligence.”
Do you have any information about the Georgia voter registration cancellation portal, voter challenges or anything voter-related that we should know? Contact reporter Doug Bock Clark by email at [email protected] and by phone or Signal at 678-243-0784. If you’re concerned about confidentiality, check out our advice on the most secure ways to share tips.
Filed under —
Doug Bock Clark is a reporter in ProPublica’s South unit. He investigates threats to democracy and abuses of power throughout the region.
“Eradicate climate change references”; only talk to conservative media; don’t leave a paper trail for watchdogs to discover. In a series of never-before-published videos, Project 2025 details how a second Trump administration would operate.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
The videos are part of an ongoing effort to recruit and train thousands of future conservative appointees. Despite Donald Trump’s efforts to disavow Project 2025, most of the speakers in the videos have previously worked for the former president.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
Days after Georgia Democrats warned that the state’s new online portal for canceling voter registrations could be abused, officials have confirmed misuse attempts — including efforts to cancel the registrations of prominent Republicans.
by Doug Bock Clark,
Some people said militant anti-abortion activist Matthew Trewhella was a ’90s figure who’s no longer relevant, but our reporting shows he’s influencing policies, bills and movements today.
by Phoebe Petrovic, Wisconsin Watch,
Local Reporting Network
The deal with energy magnate James E. Davison illustrates how Trump’s stake in the Truth Social company, which makes up a majority of his net worth, presents conflicts of interest.
by Justin Elliott, Robert Faturechi and Alex Mierjeski,
The little-known charity is backed by famous conservative donors, including the families behind Hobby Lobby and Uline. It’s spending millions to make a big political push for this election — but it may be violating the law.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
“Eradicate climate change references”; only talk to conservative media; don’t leave a paper trail for watchdogs to discover. In a series of never-before-published videos, Project 2025 details how a second Trump administration would operate.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
The videos are part of an ongoing effort to recruit and train thousands of future conservative appointees. Despite Donald Trump’s efforts to disavow Project 2025, most of the speakers in the videos have previously worked for the former president.
by Andy Kroll, ProPublica, and Nick Surgey, Documented,
A judge ruled that a law passed by Indiana’s GOP supermajority that tried to retroactively prevent cities from suing gun manufacturers goes too far. The decision allows one city’s decadeslong suit against gunmakers to continue.
by Vernal Coleman,
The community of Cairo, Illinois, once a food desert, welcomed its new market last year with balloons and cheers. But the store is struggling — exposing problems with the programs set up to help.
by Molly Parker, Capitol News Illinois, photography by Julia Rendleman,
Local Reporting Network
High prices offered by emergency housing programs have encouraged property owners to chase the money. Housing advocates say state officials haven’t moved aggressively enough to crack down on predatory behavior.
by Nick Grube, Honolulu Civil Beat,
Local Reporting Network
© Copyright 2024 Pro Publica Inc.
Creative Commons License (CC BY-NC-ND 3.0)
Thank you for your interest in republishing this story. You are free to republish it so long as you do the following:
undefined
This article was autogenerated from a news feed from CDO TIMES selected high quality news and research sources. There was no editorial review conducted beyond that by CDO TIMES staff. Need help with any of the topics in our articles? Schedule your free CDO TIMES Tech Navigator call today to stay ahead of the curve and gain insider advantages to propel your business!
