The #Georgia Secretary of State has successfully swept this still exploitable #voter registration vulnerability under the rug. https://infosec.exchange/@abreacher/113472501179978692
Journalists and lawyers don't want to take it seriously, so they get to get away with it.
Alison Breacher (@[email protected])
# Georgia My Voter Page (MVP) Registration Change ## Description A security vulnerability was found in Georgia's My Voter Page (MVP) portal, allowing unauthorized changes to voter registration without verifying the voter's identity. This flaw bypasses standard identity checks, enabling changes with minimal, publicly available information. Despite claims by the Georgia Secretary of State's office that county registrar review mitigates this risk, tests confirm that the vulnerability remains unaddressed. ## Details The vulnerability in the MVP portal permits an attacker to alter a voter's registration information using only basic personal details--such as name, date of birth, and county of residence. With these, an attacker can access a voter's MVP account and initiate changes without needing a valid driver's license linked to the voter. The vulnerability involves the following steps: 1. **Access Using Public Information**: Log into MVP using a voter's name, date of birth, and county of residence--details that are often accessible through public records. 2. **Edit Registration**: Select "UPDATE VOTER INFORMATION" and modify data fields such as address, email, and phone. 3. **Driver's License Bypass**: Input any valid Georgia driver's license number. The system doesn't verify if the license actually matches the voter. 4. **Packet Manipulation**: Use a proxy tool (like BurpSuite) to intercept and alter packets during submission: - **Packet 1** verifies initial login. - **Packet 2** performs a basic driver's license check without confirming the match. - **Packet 3** saves the edited information. Setting the driver's license field to `null` bypasses identity verification entirely. The altered information is then submitted to the county registrar for review. While manual review may detect some discrepancies, it's not foolproof--especially with no alert in the system when the driver's license field is `null` in the final submission. This vulnerability poses significant risks to election security, particularly in tight local races where voter disenfranchisement could occur undetected. The ease of access and potential for abuse underline the urgent need for stronger verification measures within the MVP portal. **CVSS Score:** 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N) ## Timeline - **2024-08-06** - Vulnerability reported to Georgia Secretary of State by an independant researcher. - **2024-08-06** - Initial acknowledgment of receipt from the Secretary of State's office. - **2024-09-19** - Follow-up request for status on fix; no response received. - **2024-10-03** - Further clarification sought from Secretary of State's office; response vaguely threatens researcher. - **2024-10-21** - Secretary of State's General Counsel denies the vulnerability, citing manual review by county registrars as mitigation. - **2024-11-01** - Contact initiated with Georgia Technology Authority (GTA) Director Vincent Seals regarding the vulnerability. - **2024-11-01** - Communication with GTA; GTA Director Seals acknowledges documentation but notes difficulties reproducing the issue. - **2024-11-01** - Request for update on GTA's HackerOne registration and test outcome; follow-up from researcher offering support in reproducing in a controlled environment. - **2024-11-04** - GTA Director Seals reports that HackerOne is processing the request to add researcher to the private team; no vulnerability confirmed by GTA. - **2024-11-05** - Follow-up email sent to GTA Director Seals requesting update on the vulnerability. - **2024-11-06** - Alison Breacher reproduces the vulnerability independently, verifying persistence of the issue. - **2024-11-08** - Final follow-up with GTA and Secretary of State's office noting intent for public disclosure due to lack of action and inability to confirm vulnerability. - **2024-11-09** - Email from Alex Kirkland, Deputy CISO of GTA, stating that the Georgia Technology Authority has no authority over the Secretary of State's Office and requesting that communication regarding the issue be directed solely to the Secretary of State. - **2024-11-10** - Follow-up text message sent to Gabe Sterling, COO of the Secretary of State's Office, requesting acknowledgment of the vulnerability; no response received. ## Contact Alison Breacher - Email: [[email protected]](mailto:[email protected]) - Mastodon: [@abreacher](https://infosec.exchange/@abreacher) #cybersecurity #infosec #voting #election #georgia #uspol
