“A Terrible Vulnerability”: Cybersecurity Researcher Discovers Yet Another Flaw in Georgia’s Voter Cancellation Portal - eviltoast
  • Boddhisatva@lemmy.world
    link
    fedilink
    arrow-up
    38
    ·
    5 months ago

    First, they entered their name, date of birth and county of residence to get past the website’s initial screening page. When the portal asked them for a driver’s license number, Parker right-clicked to inspect the browser’s HTML code — a basic option available to anyone — and deleted a few lines of code requiring them to submit their driver’s license number. Parker then hit submit. A window popped up stating that “Your cancellation request has been successfully submitted” and that county election workers would process the request within a week.

    Holy crap. That is mindbogglingly bad programming. I strongly suspect that within a week they are going to get a request from Robert’); DROP TABLE Voters; –

    • atx_aquarian@lemmy.world
      link
      fedilink
      arrow-up
      5
      ·
      edit-2
      5 months ago

      Keep in mind, though, so far, we only know it to be a user experience issue.

      “Incomplete paper and online applications will not be accepted,” Evans said in the statement. (Parker’s cancellation request would have lacked a driver’s license number.) The Secretary of State’s Office did not respond to individual questions about what testing the portal underwent before launch, the system’s security procedures, what happened to Parker’s cancellation request…

      It doesn’t matter what the browser says if the end user tampered with the running page to make it say something. It matters if the application might have been processed. They’re claiming it wouldn’t have been processed since it was incomplete (lacking ID number). We’d need to know how this was handled on the back end to know how risky it really was. It could still have been bad, but this isn’t, in itself, proof of an actual problem.

      edit: Just to be clear, I’m not saying it shouldn’t be investigated. It really should be, as the article claims, an all-hands-on-deck moment. I’m just saying that the article makes the case that it should be investigated to ascertain what would have happened to the incomplete application submission to assess the exposure, not that it definitely was a vulnerability at all.

  • just_another_person@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    5 months ago

    In light of this, a simple court order should make any changes to voter rolls invalid. Sue and get it done, as well as posting on every one of these sites about the issue so people are aware to check.

    • grue@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      5 months ago

      Suing over this is exactly what the GOP wants, because they’ve thoroughly ratfucked the judicial system (not just the Supreme Court, but lower Federal courts and state courts in GOP-controlled states like Georgia, too). And even if the lawsuits don’t go their way, if they can cause enough delay and confusion over which votes are valid, they can try to punt the election to the House (which they still control) again.

      See also: https://lemmy.world/post/18325854