Georgia Officials Quietly Patched Security Holes They Said Didn’t Exist

TUCKER, GA - JUNE 20:  'I'm a Georgia Voter' stickers are available for people to cast their ballots during a special election in Georgia's 6th Congressional District special election at St. Bede's Episcopal Church on June 20, 2017 in Tucker, Georgia. Democratic candidate Jon Ossoff and Republican candidate Karen Handel are running to replace Tom Price, who is now the Secretary of Health and Human Services. The election will fill a congressional seat that has been held by a Republican since the 1970s.  (Photo by Joe Raedle/Getty Images)
TUCKER, GA - JUNE 20: 'I'm a Georgia Voter' stickers are available for people to cast their ballots during a special election in Georgia's 6th Congressional District special election at St. Bede's Episcopal Church o... TUCKER, GA - JUNE 20: 'I'm a Georgia Voter' stickers are available for people to cast their ballots during a special election in Georgia's 6th Congressional District special election at St. Bede's Episcopal Church on June 20, 2017 in Tucker, Georgia. Democratic candidate Jon Ossoff and Republican candidate Karen Handel are running to replace Tom Price, who is now the Secretary of Health and Human Services. The election will fill a congressional seat that has been held by a Republican since the 1970s. (Photo by Joe Raedle/Getty Images) MORE LESS
Start your day with TPM.
Sign up for the Morning Memo newsletter

A ProPublica analysis found that the state was busily fixing problems in its voter registration hours after the office of Secretary of State Brian Kemp, the Republican candidate for governor, had insisted the system was secure.

On Sunday morning, Georgia Secretary of State Brian Kemp unleashed a stunning allegation: State Democrats had committed “possible cyber crimes” after a tipster told party officials he had found gaping security holes in the state’s voter information website. The affair quickly degenerated into volleying charges about whether Democrats had promptly informed officials of the possible security breach.

A representative for Kemp, the state’s Republican candidate for governor, denied vulnerabilities existed in the state’s voter-lookup site and said the problems alleged could not be reproduced. But in the evening hours of Sunday, as the political storm raged, ProPublica found state officials quietly rewriting the website’s computer code.

ProPublica’s review of the state’s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems. Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.

ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.

ProPublica’s attempt to take the next step — to poke around the concealed files and the innards of the operating system — was blocked by software fixes made that evening. According to the tipster’s recipe, it was also possible to view a voter’s driver’s license, partial Social Security number and address.

Kemp is locked in a tight race with Stacey Abrams, a former Democratic leader in the Georgia House. On Monday, his spokesman said the vulnerabilities raised could not be replicated. “There was nothing to substantiate” the claims, said Kemp spokeswoman Candice Broce.

ProPublica’s test on Sunday found traces of the same vulnerabilities the tipster described in his digital recipe. Details of the alleged vulnerabilities were provided to ProPublica by the website WhoWhatWhy.org, which first reported on the security issues this weekend.

Broce said the ability to see where files were stored was “common” across many websites, and she said it was not an inherent vulnerability. She did not deny that the website’s code was rewritten and would not say whether changes were made as a result of the possible security holes.

“We make changes to our website all the time,” Broce said. “We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.” By Monday afternoon, the page did not appear to be static in the way Broce described, and she did not respond to a request to provide evidence of the change.

Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., disputed that visibility into file storage was common. “It’s definitely not best practice,” he said. He said it appeared the state had made the change in response to being notified of the problem and could see no reason why officials would otherwise make such a change ahead of Election Day.

Security experts frown on making such seemingly ad hoc changes close to major events, such as an election, because they can create unforeseen problems when made so quickly.

Georgia’s secretary of state was first alerted of a potential vulnerability Saturday afternoon. At the time, Washington attorney David Cross — who is representing plaintiffs in a lawsuit against Georgia over its paperless voting machines — alerted the office’s outside counsel that a man named Richard Wright contacted him Friday afternoon and claimed “any and all” information about registered voters could be pulled from the site with just a few keystrokes.

The state’s Democratic Party, for its part, denied running the code and said a party volunteer named Rachel Small merely forwarded Wright’s tip — containing an explainer and recipe that could reproduce the problem — to her boss, who forwarded it to cybersecurity experts. Those experts told the U.S. Department of Homeland Security, the FBI and Georgia officials by mid-Saturday, documents and interviews show.

The state did not know that Small had received her information from Wright — and assumed Small had written the code herself — until ProPublica told them of the connection on Sunday evening. Still, Broce said the investigation into the state Democratic Party was justified.

“You don’t have to actually have someone who is successful in running up against your system,” they don’t have to find a vulnerability for it to be potentially criminal or even try and execute it, Broce said. “All you need, to open an investigation, is information suggesting plans and an attempt to put together some kind of program or utilize specialize tools to find a vulnerability. We did have evidence,” she said, referring to the email forwarded by Small.

Kemp has previously faced election-related security problems, including a case in 2015 when his office mistakenly distributed files with 6 million voters’ private information.

Democratic Party of Georgia spokesperson Seth Bringman said that the party found out about Kemp’s investigation of the purported hack from news reports. He noted that no one from the secretary of state’s office has called to ask about Small. The party, Bringman said, has also not been contacted by the FBI or DHS. Bringman called Kemp’s public statements that Democrats were under investigation “unethical, irresponsible and disqualifying.”

Kemp’s campaign showed no signs of relenting Monday. “In an act of desperation, the Democrats tried to expose vulnerabilities in Georgia’s voter registration system,” spokesman Ryan Mahoney said in a statement. “This was a 4th-quarter, Hail Mary pass that was intercepted in the end zone. Thanks to the systems and protocols established by Secretary of State Brian Kemp, no personal information was breached.”

“These power-hungry radicals should be held accountable for their criminal behavior,” he said.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.

Latest News
45
Show Comments

Notable Replies

  1. Avatar for paulw paulw says:

    After the election, if there’s any foothold at all, the department needs a top-to-bottom audit.

  2. Holy shit is this the ultimate in projection or what? “These power-hungry radicals should be held accountable for their criminal behavior,” he said. And still not a word on MSM about this development, the bastards are still just letting Kemp’s charges against the Georgia Democrats be the story.

  3. Avatar for yskov yskov says:

    For real? You’d think they’d have figured out by now that he’s up to no good.

  4. I’m confused. I heard that for the best no-bid contracted cyber-security services money can buy, always look to a Rethugliklan, because they know business, how things work, the art of the deal.

    “So, how do you sustain a business model in which users don’t pay for your service?”
    — Sen. Orrin Hatch, to Mark Zuckerberg

    (Spoiler alert: Fuckerberg confessed and gave up “the secret” to Facebook’s overt business model (the covert one is more lucrative) and said, “We sell ads, Senator.”

Continue the discussion at forums.talkingpointsmemo.com

39 more replies

Participants

Avatar for system1 Avatar for paulw Avatar for mondfledermaus Avatar for gelfling545 Avatar for bobatkinson Avatar for bojimbo26 Avatar for george_spiggott Avatar for Lacuna-Synecdoche Avatar for yskov Avatar for skippyflipjack Avatar for sparrowhawk Avatar for ottnott Avatar for fiftygigs Avatar for birdford Avatar for tiowally Avatar for kathya Avatar for nycabj Avatar for drtv Avatar for checkmate2016 Avatar for moniker Avatar for godwit Avatar for rascal_crone Avatar for hallowseve31 Avatar for cjohns6

Continue Discussion
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Deputy Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: