It turns out that a vulnerability in the official website of a local government allowed anyone to send a 'request to cancel someone else's voter registration'



A vulnerability in the website operated by the Georgia Secretary of State's office allowed anyone to send a request to cancel someone else's voter registration, according to a report by foreign media outlets ProPublica and Atlanta News First. Experts who reviewed the vulnerability have criticized the 'incredibly sloppy coding.'

Security flaw allowed anyone to request cancellation of Georgia voter registrations

https://www.atlantanewsfirst.com/2024/08/05/security-flaw-allowed-anyone-request-cancellation-georgia-voter-registrations/



Cybersecurity Expert Finds Another Flaw in Georgia's Voter Portal — ProPublica
https://www.propublica.org/article/cybersecurity-expert-finds-another-flaw-in-georgia-voter-portal

On July 29, 2024, the Georgia Secretary of State's Office released an online form for submitting voter registration cancellation requests. However, shortly after the form was released, a bug was found that allowed voters' date of birth, the last four digits of their Social Security number, and their complete driver's license number to be fully displayed.

This information is required to request voter registration cancellation, and there have already been attempts to cancel the voter registrations of Georgia Representative Marjorie Taylor Greene and Secretary of State Brad Raffensperger .

Mike Hassinger, a spokesman for the Secretary of State's office, said the bug was fixed in less than an hour and that there was little risk of it being exploited, since voters would receive a postcard notifying them when their request was accepted.

However, a few days later, cybersecurity researcher Jason Parker reported a new vulnerability that allowed a user to send a request to cancel their voter registration without entering their driver's license number, using only easily available information such as their name, date of birth, and county of residence. Parker, who is actually planning to move from Georgia, shared a video demonstrating how to send a request without entering a driver's license number with media outlets such as ProPublica.

Cybersecurity Researcher Shows Flaw with Georgia's Voter Registration Cancellation Portal - YouTube


Parker, seen in the wipe at the top right, accessed the voter registration cancellation request form.



First, enter your name, county of residence, and date of birth and click 'NEXT.'



Answer questions such as why you want to cancel your voter registration, the state you are moving to, and whether or not you have a driver's license. Normally, you would need to enter your valid driver's license number in the area marked in red.



But Parker then right-clicked, looked at the HTML code in his browser, and deleted the lines of code that asked for his driver's license number.



Then the entire driver's license number input form disappeared.



Just click 'SUBMIT'.



The request to cancel your voter registration is now complete. Using this method, anyone can cancel someone else's voter registration without their driver's license number. Parker says it took him less than two hours to find the vulnerability.



Zach Edwards, a cybersecurity researcher who reviewed the bug at ProPublica's request, called it 'incredibly sloppy coding. It's shocking that a bug like this would occur on a legitimate website,' he said, arguing that basic testing should have detected the bug before the website was even launched.

ProPublica and Atlanta News First jointly alerted the Secretary of State's office to the issue and put the publication of the article on hold until it was fixed. 'We have updated our process to include an error message to inform individuals that their submission is incomplete and will not be processed,' Georgia Election Director Blake Evans said in a statement, explaining that requests with incomplete submission data will not be accepted.

in Web Service,   Video,   Security, Posted by log1h_ik