Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Arrested For Hacking Elections Websites

A security researcher was arrested and charged after finding some serious vulnerabilities on a couple of elections websites in Florida.

A security researcher was arrested and charged after finding some serious vulnerabilities on a couple of elections websites in Florida.

David Levin, owner of Vanguard Cybersecurity, discovered in December that the elections website of Lee County was plagued by an SQL injection vulnerability that allowed access to credentials stored in plain text. The expert later also identified security holes on the Florida Division of Elections website.

Levin contacted a supervisor of elections candidate and in January they made a video demonstrating the existence of the SQL injection flaw on the Lee County elections website and showed how exposed credentials could be used to access accounts and information. The security hole was only then reported to the Supervisor of Elections Office.

According to local reports, the white hat hacker was arrested last week and charged with three counts of unauthorized access to a computer or a computer system. He was released on a $15,000 bond after a few hours.

Authorities said the researcher hacked into the state elections website twice in January and once into the Lee County elections site in mid-December.

While Levin’s case might also have something to do with politics, experts pointed out that it’s another example of a researcher going too far to demonstrate the existence of a flaw.

“Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data. That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private),” said Troy Hunt, a security expert who has often been involved in the disclosure of serious vulnerabilities.

Hunt pointed out that in the case of SQL injection vulnerabilities such as the one found by Levin, it’s easy to demonstrate that a risk exists without actually accessing any potentially sensitive data.

Advertisement. Scroll to continue reading.

There are many examples of researchers who were prosecuted or at least questioned by authorities due to their methods, including Andrew Auernheimer, who was sentenced to prison for hacking into an AT&T server, and Chris Roberts, who was detained for questioning after reportedly hacking a plane while in flight.

Related Reading: Researcher Says Starbucks Threatened Him Over Gift Card Exploit

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.