The flaw would have allowed anyone to submit a voter registration cancellation request for any Georgian using their name, date of birth and county of residence — information that is easily discoverable online.
First, they entered their name, date of birth and county of residence to get past the website’s initial screening page. When the portal asked them for a driver’s license number, Parker right-clicked to inspect the browser’s HTML code — a basic option available to anyone — and deleted a few lines of code requiring them to submit their driver’s license number. Parker then hit submit. A window popped up stating that “Your cancellation request has been successfully submitted” and that county election workers would process the request within a week.
Holy crap. That is mindbogglingly bad programming. I strongly suspect that within a week they are going to get a request from Robert’); DROP TABLE Voters; –
Keep in mind, though, so far, we only know it to be a user experience issue.
“Incomplete paper and online applications will not be accepted,” Evans said in the statement. (Parker’s cancellation request would have lacked a driver’s license number.) The Secretary of State’s Office did not respond to individual questions about what testing the portal underwent before launch, the system’s security procedures, what happened to Parker’s cancellation request…
It doesn’t matter what the browser says if the end user tampered with the running page to make it say something. It matters if the application might have been processed. They’re claiming it wouldn’t have been processed since it was incomplete (lacking ID number). We’d need to know how this was handled on the back end to know how risky it really was. It could still have been bad, but this isn’t, in itself, proof of an actual problem.
edit: Just to be clear, I’m not saying it shouldn’t be investigated. It really should be, as the article claims, an all-hands-on-deck moment. I’m just saying that the article makes the case that it should be investigated to ascertain what would have happened to the incomplete application submission to assess the exposure, not that it definitely was a vulnerability at all.
Holy crap. That is mindbogglingly bad programming. I strongly suspect that within a week they are going to get a request from Robert’); DROP TABLE Voters; –
Bobby Tables is such a little rascal.
Why would I need to sanitize my inputs, data can’t carry germs that’s ridiculous
Keep in mind, though, so far, we only know it to be a user experience issue.
It doesn’t matter what the browser says if the end user tampered with the running page to make it say something. It matters if the application might have been processed. They’re claiming it wouldn’t have been processed since it was incomplete (lacking ID number). We’d need to know how this was handled on the back end to know how risky it really was. It could still have been bad, but this isn’t, in itself, proof of an actual problem.
edit: Just to be clear, I’m not saying it shouldn’t be investigated. It really should be, as the article claims, an all-hands-on-deck moment. I’m just saying that the article makes the case that it should be investigated to ascertain what would have happened to the incomplete application submission to assess the exposure, not that it definitely was a vulnerability at all.
It’s Georgia. They didn’t need no Feeld Valludatuns down durrrr.