Critical Infrastructure Security , Governance & Risk Management , Incident & Breach Response
Georgia Patches Voter Website, But Hacking Accusation StandsDisclosure Flow Suggests Georgia's Secretary of State's Office May Have Erred
Georgia has quietly fixed two elementary web vulnerabilities in its voter registration website that could have exposed personal information, ProPublica reports.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
How the Georgia secretary of state's office learned of the vulnerabilities and reacted suggests it may have erred when making a sensational accusation against the Democratic party of Georgia just two days before the U.S. midterm elections (see: Georgia Election Further Complicated by Hacking Accusation).
On Sunday, before the website was fixed, the office of the secretary of state for Georgia announced that it had launched an investigation into Georgia's Democratic party for "possible cybercrimes" related to the state's voter registration system. In another release, the state referred to the situation as a failed cyberattack.
The accusation came from the office of Secretary of State Brian Kemp, who is also the Republican candidate for governor. Kemp is in a tight race with Democrat Stacey Abrams in one of the closest watched gubernatorial races in the country.
Democrats called the accusation a "political stunt," and the charge was met with widespread skepticism.
Personal Data Exposed
ProPublica reported on Monday that the Georgia state website, My Voter Page, was modified on Sunday to fix two vulnerabilities found by a man named Richard Wright.
On Sunday, Georgia Democrats said they'd been notified of possible vulnerabilities on the website by Wright. A volunteer with the party's Voter Protection Hotline, Rachel Small, received an email from Wright, it says.
Small then forwarded the email to Sara Ghazal, the voter protection director for Georgia Democrats, who then sent it on to law enforcement and the state. Georgia Democrats published the email that Small allegedly received from Wright.
In the email, Wright describes two findings. The My Vote Page has a section for downloading sample ballots and poll cards. But Wright writes that "the URL allows you to download any file on the system."
The second issue was with the voter registration service. Wright writes that someone can download a voter registration form to fill out by hand and mail.
But the URLs for that page can also be manipulated and incremented, which then causes other voters' personal data to be exposed, including driver's license numbers and the last four digits of Social Security numbers and addresses.
ProPublica attempted to replicate Wright's discoveries, but found by Sunday the issues had been fixed.
Voter Website Quietly Patched
ProPublica's story suggests that Georgia had incomplete information before it made an accusation against Democrats. It writes that Georgia "did not know that Small had received her information from Wright - and assumed Small had written the code herself - until ProPublica told them of the connection on Sunday evening."
So far, the state hasn't issued an update on its investigation into Georgia Democrats. Statements by a Kemp spokeswoman to both ProPublica and Ars Technica indicate the state still believes the site was subjected to an attempted cyberattack.
ProPublica writes that Kemp spokeswoman Candice Broce told the publication that in order to open an investigation, someone doesn't have to actually find a vulnerability for the situation to be potentially criminal. Ars also quotes Broce as saying there were no vulnerabilities on the website.
"All you need, to open an investigation, is information suggesting plans and an attempt to put together some kind of program or utilize specialize tools to find a vulnerability. We did have evidence," Broce told ProPublica.
The legal boundary between what constitutes legitimate security research and criminal intrusion is fuzzy. Often, to determine there even is a vulnerability, those actions would technically break the law, such as incrementing a number in a URL.
But legal experts say it's unlikely that prosecutors would bring a case against someone - in this case Wright - for discovering a vulnerability and seeking to responsibly report it.