To build confidence in voting rolls, Georgia digitized a cancellation process.

Instead, they exposed voter data to exploitation.

The website launched this week by Georgia’s secretary of state intended to help individuals to cancel their voter status and to increase confidence in the state’s electoral rolls has instead exposed private personal data of voters, according to an investigation by The Current

Oversights by IT workers during a test phase meant that for at least two days vital data such as driver’s license information or partial Social Security numbers would have been visible to malicious actors.  Georgia Secretary of State Brad Raffensperger unveiled the site on Monday.

The Current discovered one security flaw on Wednesday — and immediately alerted the Secretary of State’s office. The story was held for publication until the agency worked with the IT vendor, MTX Group, to correct the issues. 

Gabriel Sterling, chief operating officer for the Georgia Secretary of State’s office, told The Current on Wednesday afternoon that approximately a couple hundred people had visited the site before the software fix. 

“We launched something, we found some issues, no one was impacted in any real way that we can discover, we’ve taken steps to mitigate it and make sure it doesn’t happen,” Sterling said. 

The issue is the second security flaw discovered since the site came online. The first, reported by The Associated Press, has also been fixed, according to Sterling.

The partial Social Security numbers and drivers’ license numbers exposed inadvertently on Georgia’s voter cancellation site are part of data necessary to initiate a voter registration cancellation, along with a person’s date of birth and county of residence. This personal information is valued by hackers to perpetuate identity or credit fraud.

The Current, while using the new site, discovered that sensitive personal information displayed in the computer code sent from the cancellation portal to some users’ browsers. That flaw was related to an even more obvious security problem first reported by the AP: One page inside the portal very briefly displayed personal information in plain text.  

Sterling said his office has been testing the portal internally for weeks. One of the problems had been fixed during testing, but a last-minute change elsewhere invalidated the fix, he said. The problem identified by The Current was on a list of things that needed to be checked, but it wasn’t checked, he said. 

The cancellation portal is part of a larger $5.1 million overhaul of the state’s voter registration system. Those changes include storing information in cloud-based servers run by the company Salesforce, which uses security standards laid out for agencies like the Federal Bureau of Investigation and the U.S. Department of Defense. Not even the MTX Group programmers can see voters’ information, he said.

Georgia’s new election laws allow unlimited numbers of challenges to voter registration, part of a series of changes that the Republican-led state government has made to voting law amid pressure from the pernicious but wrong opinion that voting fraud is rampant in the Peach State. The brunt of those registration challenges falls on county election officials.

Though this portal was designed for individuals to remove only themselves or deceased relatives, it comes at a time when voter-list vigilantes are appearing at county election boards with thousands of names they want removed from voter rolls. Voting rights advocates are on high alert, and didn’t care for the language that first appeared on the new Secretary of State page: “Please enter the information for the voter you are wanting to cancel.”

Despite the initial flaws in the cancellation portal — which Sterling emphasized were fixed within hours — the new digitized system is more secure than depending on paper and the mail, he said. 

Sterling said fewer than 20 people visited the site before Monday’s flaw was fixed; and a couple hundred people had initiated cancellation requests as of Wednesday afternoon. 

“At the end of the day …  all these county [election office] folks, a human being still has to look at this to see if it seems right to them,” Sterling said. Anyone whose registration is canceled should receive a postcard in the mail double-checking the deletion.

Raffensperger’s office called the site “secure” when they announced its debut via press release Monday. The office touted it as a simple way for anyone moving out of state to remove themselves from the Georgia voter list, or to do so for a deceased family member.  

“It will also help keep Georgia’s voter registration database up-to-date without having to rely on postcards being sent and returned by an increasingly inefficient postal system,” Raffensperger was quoted as saying in the Monday release. 

Georgia Democrats this week have panned Raffenberger’s voter cancellation initiative, and the security snafus have enhanced the mistrust among many members of the state’s minority party. As Georgia moves from long-term Republican dominance to a place where more Democrats register to vote, margins as small as 12,000 votes matter in statewide elections. Democrats fear the portal will be abused by conspiracy theorists and bad actors to wrongly disenfranchise voters. 

One Democratic state senator said she saw her own personal information in plain text on the site. Her caucus called for the cancellation portal to be taken down altogether

The state cancellation site still starts by asking for a person’s name, date of birth and county of residence to start the voter cancellation process.  

Next, the site asks for the voter’s drivers license number or the last four digits of their Social Security number.

For a short period Monday morning, if a user clicked an option saying they don’t have a driver’s license, the site generated a form for the user to print and return by mail or email. Pressing that button to create the form exposed the personal information. 

August 1, 2024, 10:57 a.m.: Clarification:  One reference in this story has been updated to clarify the day on which one flaw was fixed on the Secretary of State’s site.

Methods:

The Current found the security flaw by reading the computer files that the Secretary of State’s website sent to browsers. Firefox, Chrome, or Safari read those files and follow the instructions in them in order to display websites.  But humans can also read those files, just like humans can read a Word document.  And sometimes, humans find things that programmers have failed to encrypt or otherwise hide.

One way computers send information to each other is a format called JSON. Typically, JSON holds words and phrases that are in plain English but that are wrapped in formatting marks that tell a browser what parts to display and how to display them.

Any user can see what kind of JSON or other files their browser is receiving. It’s like opening the hood of a car to look at the engine.

Opening the hood is done a little differently in every browser, but the end goal is to find the “network monitor.” In Firefox, for example, open “Web Developer Tools” and a “network” tab is toward the bottom of the screen.

In the case of the voter cancellation portal, the JSON sent by the state included unencrypted PII.  For a while Monday morning, that PII was displayed in plain text in a browser window within the portal, visible to any user.  For at least another day, that unencrypted PII was still sent to the browser via JSON, but not displayed in the browser window.

Type of Story: News

Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources.





Source link

Share.

Comments are closed.

Exit mobile version