The flaw would have allowed anyone to submit a voter registration cancellation request for any Georgian using their name, date of birth and county of residence — information that is easily discoverable online.
Keep in mind, though, so far, we only know it to be a user experience issue.
“Incomplete paper and online applications will not be accepted,” Evans said in the statement. (Parker’s cancellation request would have lacked a driver’s license number.) The Secretary of State’s Office did not respond to individual questions about what testing the portal underwent before launch, the system’s security procedures, what happened to Parker’s cancellation request…
It doesn’t matter what the browser says if the end user tampered with the running page to make it say something. It matters if the application might have been processed. They’re claiming it wouldn’t have been processed since it was incomplete (lacking ID number). We’d need to know how this was handled on the back end to know how risky it really was. It could still have been bad, but this isn’t, in itself, proof of an actual problem.
edit: Just to be clear, I’m not saying it shouldn’t be investigated. It really should be, as the article claims, an all-hands-on-deck moment. I’m just saying that the article makes the case that it should be investigated to ascertain what would have happened to the incomplete application submission to assess the exposure, not that it definitely was a vulnerability at all.
Keep in mind, though, so far, we only know it to be a user experience issue.
It doesn’t matter what the browser says if the end user tampered with the running page to make it say something. It matters if the application might have been processed. They’re claiming it wouldn’t have been processed since it was incomplete (lacking ID number). We’d need to know how this was handled on the back end to know how risky it really was. It could still have been bad, but this isn’t, in itself, proof of an actual problem.
edit: Just to be clear, I’m not saying it shouldn’t be investigated. It really should be, as the article claims, an all-hands-on-deck moment. I’m just saying that the article makes the case that it should be investigated to ascertain what would have happened to the incomplete application submission to assess the exposure, not that it definitely was a vulnerability at all.