Georgia Officials Quietly Patched Security Holes They Said Didn’t Exist
A ProPublica analysis found that the state was busily fixing problems in its voter registration hours after the office of Secretary of State Brian Kemp, the Republican candidate for governor, had insisted the system was secure.
On Sunday morning, Georgia Secretary of State Brian Kemp unleashed a stunning allegation: State Democrats had committed “possible cyber crimes” after a tipster told party officials he had found gaping security holes in the state’s voter information website. The affair quickly degenerated into volleying charges about whether Democrats had promptly informed officials of the possible security breach.
A representative for Kemp, the state’s Republican candidate for governor, denied vulnerabilities existed in the state’s voter-lookup site and said the problems alleged could not be reproduced. But in the evening hours of Sunday, as the political storm raged, ProPublica found state officials quietly rewriting the website’s computer code.
ProPublica’s review of the state’s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems. Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.
ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.
ProPublica’s attempt to take the next step — to poke around the concealed files and the innards of the operating system — was blocked by software fixes made that evening. According to the tipster’s recipe, it was also possible to view a voter’s driver’s license, partial Social Security number and address.
Kemp is locked in a tight race with Stacey Abrams, a former Democratic leader in the Georgia House. On Monday, his spokesman said the vulnerabilities raised could not be replicated. “There was nothing to substantiate” the claims, said Kemp spokeswoman Candice Broce.
ProPublica’s test on Sunday found traces of the same vulnerabilities the tipster described in his digital recipe. Details of the alleged vulnerabilities were provided to ProPublica by the website WhoWhatWhy.org, which
first reportedon the security issues this weekend.
Broce said the ability to see where files were stored was “common” across many websites, and she said it was not an inherent vulnerability. She did not deny that the website’s code was rewritten and would not say whether changes were made as a result of the possible security holes.
“We make changes to our website all the time,” Broce said. “We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.” By Monday afternoon, the page did not appear to be static in the way Broce described, and she did not respond to a request to provide evidence of the change.
Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., disputed that visibility into file storage was common. “It’s definitely not best practice,” he said. He said it appeared the state had made the change in response to being notified of the problem and could see no reason why officials would otherwise make such a change ahead of Election Day.
Security experts frown on making such seemingly ad hoc changes close to major events, such as an election, because they can create unforeseen problems when made so quickly.
Georgia’s secretary of state was first alerted of a potential vulnerability Saturday afternoon. At the time, Washington attorney David Cross — who is representing plaintiffs in a lawsuit against Georgia over its paperless voting machines — alerted the office’s outside counsel that a man named Richard Wright contacted him Friday afternoon and claimed “any and all” information about registered voters could be pulled from the site with just a few keystrokes.
The state’s Democratic Party, for its part, denied running the code and said a party volunteer named Rachel Small merely forwarded Wright’s tip — containing an explainer and recipe that could reproduce the problem — to her boss, who forwarded it to cybersecurity experts. Those experts told the U.S. Department of Homeland Security, the FBI and Georgia officials by mid-Saturday, documents and interviews show.
The state did not know that Small had received her information from Wright — and assumed Small had written the code herself — until ProPublica told them of the connection on Sunday evening. Still, Broce said the investigation into the state Democratic Party was justified.
“You don’t have to actually have someone who is successful in running up against your system,” they don’t have to find a vulnerability for it to be potentially criminal or even try and execute it, Broce said. “All you need, to open an investigation, is information suggesting plans and an attempt to put together some kind of program or utilize specialize tools to find a vulnerability. We did have evidence,” she said, referring to the email forwarded by Small.
Kemp has previously faced election-related security problems, including a case in 2015 when his office mistakenly distributed files with 6 million voters’ private information.
Democratic Party of Georgia spokesperson Seth Bringman said that the party found out about Kemp’s investigation of the purported hack from news reports. He noted that no one from the secretary of state’s office has called to ask about Small. The party, Bringman said, has also not been contacted by the FBI or DHS. Bringman called Kemp’s public statements that Democrats were under investigation “unethical, irresponsible and disqualifying.”
Kemp’s campaign showed no signs of relenting Monday. “In an act of desperation, the Democrats tried to expose vulnerabilities in Georgia’s voter registration system,” spokesman Ryan Mahoney said in a statement. “This was a 4th-quarter, Hail Mary pass that was intercepted in the end zone. Thanks to the systems and protocols established by Secretary of State Brian Kemp, no personal information was breached.”
“These power-hungry radicals should be held accountable for their criminal behavior,” he said.