Ahh voting… Like baseball and apple pie, it is another thing that makes America great.
But one problem that we have had for a long time is how to get military personnel and citizens who are overseas the ability to vote?
It looks like Washington, DC was set to receive a brand spanking new way for absentee voters to vote over the internet.
The problem is that no-one saw the “Hacker Inside” label on the system.
Luckily, the voting system was tested by University of Michigan security gurus before going live. The result? After voters cast their ballot, they were greeted with the Michigan fight song “The Victors!” Nice…
More information about the system and the hack were found on The Register yesterday. According to the article, the voting system used a MySQL database running on an Apache server and was written on the Ruby on Rails framework.
The would-be hackers found that they could attach system command strings to ballots, which the system would execute when the ballot was uploaded.
“A file named “ballot.$(sleep 10)pdf,” for instance, caused the server to pause for 10 seconds. They used similar techniques to install a backdoor on the system that allowed them almost unfettered system access.”
Not only did they have complete access to the system, they also found the database username and password. So I am guessing that with this information they would be able to tell not only which candidate a citizen voted for, but also, create new or even change existing votes.
Thank goodness the system was tested before it went live. And you thought that missing ballots and dead people voting was a problem…