Serious Vulnerabilities in Georgia’s Online Voter Registration System
Yesterday afternoon, Marilyn Marks sent an email thread to me and several other election security experts. The email was seeking to confirm two serious vulnerabilities in Georgia’s online voter registration system. It contained a technical description of the problems, apparently reported by a party volunteer. Without exploiting the vulnerabilities, I confirmed that the description appeared to be technically accurate, and that the problems were very serious. Around 7 PM yesterday, the information was reported to the Georgia Secretary of State by Bruce Brown, an attorney for the plaintiffs in Curling v. Kemp, in which I am serving as a technical expert.
The first vulnerability lets users access and change other voters’ records. The Voter Registration server has a trivial “URL manipulation” vulnerability that allows any logged-in voter to access other voters’ registration pages (here’s an explainer for URL manipulation).These pages contain sensitive personally identifiable information, including the voter’s address and date of birth. The initial technical description also indicated that driver’s license information and the last four digits of a voter’s social security number were available through this vulnerability, but I could not confirm that without exploiting the vulnerability. With this information, an attacker can log into Georgia’s online voter registration system as that other voter and change their registration information. In the worst case, an attacker could automate this process to change the registrations of many voters, resulting in their not being able to vote on election day.
The second vulnerability is a “URL manipulation” vulnerability in the My Voter Page server. An incorrectly implemented function allows anyone to read arbitrary files from the server’s internal filesystem, simply by changing a URL. This exposes sensitive information — including the server-side application program files, as well as system and network configuration files — that would help an attacker break farther into the server, and potentially into other parts of the voter registration computer systems.
Georgia’s voter registration is handled by a system called ElectioNet, a voter registration suite that is sold by PCC Technologies. ElectioNet is used in 15 states for voter registration functions, and the issues with Georgia’s system may also apply to those states. PCC also produces software for other election functions, including for election-night reporting, and that software should be carefully scrutinized.
The State of Georgia, other affected states, and PCC Technologies need to take action immediately to remedy these vulnerabilities and assess whether voter registration records have already been changed.