The flaw would have allowed anyone to submit a voter registration cancellation request for any Georgian using their name, date of birth and county of residence ā information that is easily discoverable online.
Keep in mind, though, so far, we only know it to be a user experience issue.
āIncomplete paper and online applications will not be accepted,ā Evans said in the statement. (Parkerās cancellation request would have lacked a driverās license number.) The Secretary of Stateās Office did not respond to individual questions about what testing the portal underwent before launch, the systemās security procedures, what happened to Parkerās cancellation requestā¦
It doesnāt matter what the browser says if the end user tampered with the running page to make it say something. It matters if the application might have been processed. Theyāre claiming it wouldnāt have been processed since it was incomplete (lacking ID number). Weād need to know how this was handled on the back end to know how risky it really was. It could still have been bad, but this isnāt, in itself, proof of an actual problem.
edit: Just to be clear, Iām not saying it shouldnāt be investigated. It really should be, as the article claims, an all-hands-on-deck moment. Iām just saying that the article makes the case that it should be investigated to ascertain what would have happened to the incomplete application submission to assess the exposure, not that it definitely was a vulnerability at all.
Keep in mind, though, so far, we only know it to be a user experience issue.
It doesnāt matter what the browser says if the end user tampered with the running page to make it say something. It matters if the application might have been processed. Theyāre claiming it wouldnāt have been processed since it was incomplete (lacking ID number). Weād need to know how this was handled on the back end to know how risky it really was. It could still have been bad, but this isnāt, in itself, proof of an actual problem.
edit: Just to be clear, Iām not saying it shouldnāt be investigated. It really should be, as the article claims, an all-hands-on-deck moment. Iām just saying that the article makes the case that it should be investigated to ascertain what would have happened to the incomplete application submission to assess the exposure, not that it definitely was a vulnerability at all.