“A Terrible Vulnerability”: Cybersecurity Researcher Discovers Yet Another Flaw in Georgia’s Voter Cancellation Portal

The flaw would have allowed anyone to submit a voter registration cancellation request for any Georgian using their name, date of birth and county of residence — information that is easily discoverable online.

by Doug Bock Clark

Aug. 5, 5:45 p.m. EDT

Until Monday, a new online portal run by the Georgia Secretary of State’s Office contained what experts describe as a serious security vulnerability that would have allowed anyone to submit a voter cancellation request for any Georgian. All that was required was a name, date of birth and county of residence — information easily discoverable for many people online.

The flaw was brought to the attention of ProPublica and Atlanta News First over the weekend by a cybersecurity researcher, Jason Parker. Parker, who uses they/them pronouns, said that after discovering it, they attempted to contact the Georgia Secretary of State’s Office. The office said it had no records of Parker’s attempts to reach out.

“It’s a terrible vulnerability to leave open, and it’s essential to be fixed,” Parker said.

The issue Parker exposed was “as bad as any voter cancellation bug could be” and “incredibly sloppy coding,” said Zach Edwards, a senior threat researcher at the cybersecurity firm Silent Push, who reviewed the flaw at the request of ProPublica. “It’s shocking to have one of these bugs occur on a serious website.” Edwards said that even a basic penetration test, in which outside experts vet the security of a website before its launch, “should have picked this up.”

ProPublica and Atlanta News First jointly alerted the Secretary of State’s Office to the vulnerability and held the publication of their articles until it was fixed.

“We have updated the process to include an error message letting the individual know their submission is incomplete and will not be processed,” Blake Evans, Georgia’s elections director, said in a statement from the Secretary of State’s Office.

In the days after the portal launched last Monday, The Associated Press and The Current each reported the existence of separate security vulnerabilities that exposed voters’ sensitive personal information, including the last four digits of their Social Security number and their full driver’s license number. The Secretary of State’s Office told the news organizations that it quickly fixed the portal. Democrats warned that the system could be abused, as right-wing activists have been challenging tens of thousands of voter registrations in a different process that a 2021 state law expanded. Over the weekend, ProPublica reported that users of the portal had unsuccessfully attempted to cancel the voter registrations of two prominent Republican officials, Secretary of State Brad Raffensperger and Rep. Marjorie Taylor Greene.

The flaw found by Parker was different from the two previously reported ones. This one would allow any user of the portal to bypass the screen that requires a driver’s license number and submit the cancellation request without it.

The Secretary of State “needs to consider this an all-hands-on-deck” moment “and hire multiple testing and security firms and stop relying on the public’s goodwill and pro bono security researchers to test the quality of their website,” Edwards said. “At this point, we should assume there are other subtle bugs that could have potentially serious impact.” Edwards said that it would have been easy for a malicious actor to automate cancellation requests to get around security measures built into the website and submit thousands of them.

In a video shared with ProPublica, Parker, who is moving from Georgia to another state, demonstrated how the registration cancellation tool could be exploited in roughly a minute. First, they entered their name, date of birth and county of residence to get past the website’s initial screening page. When the portal asked them for a driver’s license number, Parker right-clicked to inspect the browser’s HTML code — a basic option available to anyone — and deleted a few lines of code requiring them to submit their driver’s license number. Parker then hit submit. A window popped up stating that “Your cancellation request has been successfully submitted” and that county election workers would process the request within a week.

Parker said it took them less than two hours of poking around the website to find the vulnerability.

“Incomplete paper and online applications will not be accepted,” Evans said in the statement. (Parker’s cancellation request would have lacked a driver’s license number.) The Secretary of State’s Office did not respond to individual questions about what testing the portal underwent before launch, the system’s security procedures, what happened to Parker’s cancellation request and how the public could be sure of the portal’s security given the recent disclosures of security flaws.

“The Secretary of State’s Office needs to do better,” said Marisa Pyle, the senior democracy defense manager for Georgia with All Voting is Local, a voting rights advocacy organization. “The state needs to be really intentional about how it rolls out these things. It needs to make sure they’re secure and provide their rationale for making them.”

Jake Braun, the author of a book on cybersecurity flaws in election systems and lecturer at the University of Chicago, said that there is a long history of elections-related websites suffering from easily exploitable security failures, including Russians hacking election infrastructure during the 2016 election and public-interest competitions in which participants breached replicas of state election websites in minutes. Online elections infrastructure, he said, “needs more standards and better standards.”

Edwards said that the portal’s vulnerability-plagued rollout showed the necessity of improving the vetting process.

“Georgia should step up and pass a law saying all new websites in which the public interacts with government documents should have an outside review,” Edwards said. The public “should expect” officials “did some due diligence.”

Source