Major Security Vulnerability Discovered in Georgia's Voter Cancellation Portal
Until Monday, a serious security vulnerability was found in Georgia's voter cancellation portal, which could have allowed anyone to cancel a voter's registration with minimal information. This vulnerability required only a person's name, date of birth, and county of residence—details that are relatively easy to find online.
Discovery and Disclosure
Jason Parker, a cybersecurity researcher, discovered this flaw and informed ProPublica and Atlanta News First over the weekend. Parker mentioned that he tried to contact the Georgia Secretary of State’s Office but received no acknowledgment.
“It’s a terrible vulnerability to leave open, and it’s essential to be fixed,” Parker stated.
Expert Analysis
Zach Edwards, a senior threat researcher at Silent Push, reviewed the flaw and described it as “incredibly sloppy coding.” He emphasized that even a basic penetration test should have identified this issue before the portal's launch.
ProPublica and Atlanta News First informed the Secretary of State’s Office about the vulnerability and delayed their publications until it was fixed.
Official Response
Blake Evans, Georgia’s elections director, announced that the process now includes an error message to prevent incomplete submissions from being processed.
Previous Security Flaws
Earlier reports from The Associated Press and The Current highlighted other vulnerabilities that exposed sensitive voter information, such as Social Security numbers and driver’s license numbers. These issues were reportedly fixed quickly.
Exploitation Demonstrated
Parker demonstrated how the flaw could be exploited in under a minute by bypassing the requirement for a driver’s license number through basic HTML code inspection and alteration.
“In less than two hours, I found this vulnerability,” Parker said.
Call for Comprehensive Security Measures
Edwards stressed the need for the Secretary of State’s Office to undertake a thorough review and hire professional security firms, rather than relying on public goodwill and pro bono researchers.
“We should assume there are other subtle bugs that could have potentially serious impacts,” Edwards added.
Need for Better Standards
Jake Braun, an author and lecturer on cybersecurity at the University of Chicago, pointed out the historical issues with election-related website security. He emphasized the need for higher and better standards in online election infrastructure.
Edwards suggested that Georgia pass a law requiring all new public-interaction websites to undergo external reviews to ensure their security.
“The public should expect officials to have done some due diligence,” he concluded.
