Georgia's voter portal gets a crash course in client versus backend input validation

The US state of Georgia has a website for cancelling voter registration, and it's had a bumpy start.

The site was created to streamline the process of voluntarily cancelling one's voter registration. It's intended to be used by former Georgia residents who move away to another state, or by those related to citizens who have passed away. In theory, it's supposed to make elections in the Peach State more secure and less susceptible to voter fraud, which is a sensitive topic in Georgia since the 2020 Presidential election.

One cybersecurity researcher this week said pretty much anyone could cancel someone else's voter registration via the website, all thanks to what is apparently a simple but effective exploit. In a video demonstration, reported by Atlanta News First and ProPublica, former Georgia resident Jason Parker showed how he canceled his own registration by only submitting his full name, date of birth, and county of residence.

The website's cancellation form asks for all those details plus a driver's license or state ID number, or the last four digits of your social security number. Those numbers are explicitly labeled as a required piece of information, though Parker said he discovered that by merely opening up the "inspect element" tool in his browser and deleting the HTML for the field from the webpage, he was able to proceed with the cancellation request without that required number, and successfully submitted it. The whole process took a minute and a half.

"It's as easy as that," Parker said.

That would mean only a full name, date of birth, and county of residence is needed to cancel someone's voter registration. That info isn't hard to find just by looking at someone's social media, for instance, raising the possibility of voters finding themselves unable to go to the polls if a complete stranger decided to cancel their registration for them.

(We're going to skip over the fact it's possible to request cancellation of someone's registration if you know their ID number or SSN and their other details, which are routinely stolen from organizations and leaked on the internet. That's a whole other kettle of fish.)

It's just a visual bug, actually, Georgia says

Meddling with a form on the client side shouldn't allow one to bypass security checks. Indeed, Georgia's Secretary of State Office claimed the tampering as described wouldn't work at all, and that the cancellation request would be ultimately binned.

"No incomplete application moved forward," a spokesperson for the Secretary of State Office told The Register. "It was a workflow issue and that has been updated with a correct error message."

The spokesperson explained that all the portal does is fill out an application that is manually processed by state employees. By using his browser to remove the required field, all Parker accomplished was sending an incomplete form, which would have later been rejected by human officials.

"We've also had individuals try to submit fake driver's license numbers and those are immediately rejected as well," the spokesperson said. Georgia has blocked multiple attempts to cancel the voter registrations of House Representative Marjorie Taylor Greene (R-GA) and Secretary of State Brad Raffensperger.

• Uncle Sam wants to make it clear that America's elections are very, very safe
• Michigan probes Musk-backed PAC website that weirdly tried and failed to help register people to vote
• Robocaller spoofing Joe Biden is telling people not to vote in New Hampshire
• FBI, CISA remind US voters that DDoS attacks can't touch election systems

If the state's officials are right, the only issue here was that the website wrongly said an incomplete application was accepted. The site rightly included client-side checking of the submission, though when that was bypassed, there should have been an immediate backend check to alert the user that information was missing and that the cancellation request would therefore be rejected by staff.

An error message has since been added for an incomplete submission, we're told.

Bullet dodged this time, but no so earlier. For about an hour after launch on July 29, the website would a little too eagerly offer up sensitive information – voters' driver's license or state ID numbers, or the last four digits of their social security numbers – according to the Georgia Recorder.

After entering someone's name, date of birth, and county into the site, the next page would auto-fill the required ID or SSN info. That means if you knew those initial details, you could get the rest, and submit a cancellation request, which would be bad. That automated populating of the fields was stopped sharpish.

“If someone knows my birth date, you could get in and pull up my information and change my registration,” said state Senate Minority Leader Gloria Butler (D).

According to officials, there were 33 attempts to use the portal on that first day, and 15 was internal testing.

Not the best launch, but at least it'll still, hopefully, ultimately prevent malicious actors from interfering with American democracy. ®