“A Terrible Vulnerability”: Cybersecurity Researcher Discovers Yet Another Flaw in Georgia’s Voter Cancellation Portal - eviltoast

Until Monday, a new online portal run by the Georgia Secretary of State’s Office contained what experts describe as a serious security vulnerability that would have allowed anyone to submit a voter cancellation request for any Georgian. All that was required was a name, date of birth and county of residence — information easily discoverable for many people online.

The flaw was brought to the attention of ProPublica and Atlanta News First over the weekend by a cybersecurity researcher, Jason Parker. Parker, who uses they/them pronouns, said that after discovering it, they attempted to contact the Georgia Secretary of State’s Office. The office said it had no records of Parker’s attempts to reach out.

“It’s a terrible vulnerability to leave open, and it’s essential to be fixed,” Parker said.

The issue Parker exposed was “as bad as any voter cancellation bug could be” and “incredibly sloppy coding,” said Zach Edwards, a senior threat researcher at the cybersecurity firm Silent Push, who reviewed the flaw at the request of ProPublica. “It’s shocking to have one of these bugs occur on a serious website.” Edwards said that even a basic penetration test, in which outside experts vet the security of a website before its launch, “should have picked this up.”