News: 1723003515

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Georgia's voter portal gets a crash course in client versus backend input validation

(2024/08/07)


The US state of Georgia has a website for cancelling voter registration, and it's had a bumpy start.

The site was created to streamline the process of voluntarily cancelling one's voter registration. It's intended to be used by former Georgia residents who move away to another state, or by those related to citizens who have passed away. In theory, it's supposed to make elections in the Peach State more secure and less susceptible to voter fraud, which is a [1]sensitive topic in Georgia since the 2020 Presidential election.

One cybersecurity researcher this week said pretty much anyone could cancel someone else's voter registration via the website, all thanks to what is apparently a simple but effective exploit. In a video demonstration, [2]reported by Atlanta News First and ProPublica, former Georgia resident Jason Parker showed how he canceled his own registration by only submitting his full name, date of birth, and county of residence.

[3]

The website's cancellation form asks for all those details plus a driver's license or state ID number, or the last four digits of your social security number. Those numbers are explicitly labeled as a required piece of information, though Parker said he discovered that by merely opening up the "inspect element" tool in his browser and deleting the HTML for the field from the webpage, he was able to proceed with the cancellation request without that required number, and successfully submitted it. The whole process took a minute and a half.

[4]

[5]

"It's as easy as that," Parker said.

That would mean only a full name, date of birth, and county of residence is needed to cancel someone's voter registration. That info isn't hard to find just by looking at someone's social media, for instance, raising the possibility of voters finding themselves unable to go to the polls if a complete stranger decided to cancel their registration for them.

It's just a visual bug, actually, Georgia says

Meddling with a form on the client side shouldn't allow one to bypass security checks. Indeed, Georgia's Secretary of State Office claimed the tampering as described wouldn't work at all, and that the cancellation request would be ultimately binned.

"No incomplete application moved forward," a spokesperson for the Secretary of State Office told The Register . "It was a workflow issue and that has been updated with a correct error message."

[6]

The spokesperson explained that all the portal does is fill out an application that is manually processed by state employees. By using his browser to remove the required field, all Parker accomplished was sending an incomplete form, which would have later been rejected by human officials.

"We've also had individuals try to submit fake driver's license numbers and those are immediately rejected as well," the spokesperson said. Georgia has blocked multiple attempts to cancel the voter registrations of House Representative Marjorie Taylor Greene (R-GA) and Secretary of State Brad Raffensperger.

[7]Uncle Sam wants to make it clear that America's elections are very, very safe

[8]Michigan probes Musk-backed PAC website that weirdly tried and failed to help register people to vote

[9]Robocaller spoofing Joe Biden is telling people not to vote in New Hampshire

[10]FBI, CISA remind US voters that DDoS attacks can't touch election systems

If the state's officials are right, the only issue here was that the website wrongly said an incomplete application was accepted. The site rightly included client-side checking of the submission, though when that was bypassed, there should have been an immediate backend check to alert the user that information was missing and that the cancellation request would therefore be rejected by staff.

An error message has since been added for an incomplete submission, we're told.

Bullet dodged this time, but no so earlier. For about an hour after launch on July 29, the website would a little too eagerly offer up sensitive information – voters' driver's license or state ID numbers, or the last four digits of their social security numbers – [11]according to the Georgia Recorder.

[12]

After entering someone's name, date of birth, and county into the site, the next page would auto-fill the required ID or SSN info. That means if you knew those initial details, you could get the rest, and submit a cancellation request, which would be bad. That automated populating of the fields was stopped sharpish.

“If someone knows my birth date, you could get in and pull up my information and change my registration,” [13]said state Senate Minority Leader Gloria Butler (D).

According to officials, there were 33 attempts to use the portal on that first day, and 15 was internal testing.

Not the best launch, but at least it'll still, hopefully, ultimately prevent malicious actors from interfering with American democracy. ®

Get our [14]Tech Resources



[1] https://apnews.com/article/trump-georgia-fraud-defendants-201d73d2a6b165d06230961af9f21b61

[2] https://www.atlantanewsfirst.com/2024/08/05/security-flaw-allowed-anyone-request-cancellation-georgia-voter-registrations/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrNFxwyKk6Q5QOr4FRF-5QAAAFY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrNFxwyKk6Q5QOr4FRF-5QAAAFY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrNFxwyKk6Q5QOr4FRF-5QAAAFY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrNFxwyKk6Q5QOr4FRF-5QAAAFY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/01/10/doj_election_security/

[8] https://www.theregister.com/2024/08/05/michigan_election_officials_probe_website/

[9] https://www.theregister.com/2024/01/23/robocaller_biden_new_hampshire/

[10] https://www.theregister.com/2024/08/01/fbi_cisa_election_ddos/

[11] https://georgiarecorder.com/2024/08/02/georgia-secretary-of-state-says-bug-in-new-web-voter-portal-briefly-spilled-personal-data/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrNFxwyKk6Q5QOr4FRF-5QAAAFY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://apnews.com/article/georgia-cancel-voter-registration-personal-information-5bf7d7d474e0e077c7fd50141ff487e8

[14] https://whitepapers.theregister.com/



This is still a huge vulnerability

DS999

The last four digits of most people's SSN has been breached at least once, so that info is out there and unlike a street address isn't changing.

They are also placing a lot of faith that there isn't some sort of insider aided exploit. i.e. either someone inside Georgia's secretary of state's office with access to voter registration information could download that information, and copy the list of people registered democrat and make it available to third parties who will do the dirty work of unregistering enough of them right before the registration deadline that it costs Harris the state. Alternatively, if there were some "investigations" by the state house or senate that involved getting hold of voter registration information, the same could be done.

Of course by the time this was discovered it would be too late, and republican election deniers would claim it is democrat sour grapes. Even if the people who thought they were registered were allowed to vote via a provisional ballot, the election deniers would cry foul and claim it is "election fraud" and none of those provisional ballots should be counted. If they aren't, they win. If they are, they claim fraud and try to submit "alternate electors" to the electoral college. The goal of republicans isn't to root out fraud, because they know there was no large scale fraud that cost Trump the last election, or even a single state in the last election. The goal of republicans is uncertainty and chaos, so that no one trusts the actual election results and it goes to a vote of the house or gets decided by the highly partisan Supreme Court.

Re: This is still a huge vulnerability

Anonymous Coward

"so that no one trusts the actual election results"

*cough*2016*cough*

Hillary is STILL moaning about having the election stolen from her.

How many people said 'not my president' after 2016?

The Dems sowed the seeds!

John Robson

"The site rightly included client-side checking of the submission, though when that was bypassed, there should have been an immediate backend check to alert the user that information was missing and that the cancellation request would therefore be rejected by staff."

Why? - to submit something avoiding the client side check you know you've bypassed it.

The paper form doesn't automatically warn you if you seal the envelope without filling in all the required fields.

SSN? really?

Anonymous Coward

I was underthe impression that SSN was no longer permitted to be used for non Social Security Administration related uses.

Stop searching forever. Happiness is just next to you.