A security researcher was arrested and charged after finding some serious vulnerabilities on a couple of elections websites in Florida.
David Levin, owner of Vanguard Cybersecurity, discovered in December that the elections website of Lee County was plagued by an SQL injection vulnerability that allowed access to credentials stored in plain text. The expert later also identified security holes on the Florida Division of Elections website.
Levin contacted a supervisor of elections candidate and in January they made a video demonstrating the existence of the SQL injection flaw on the Lee County elections website and showed how exposed credentials could be used to access accounts and information. The security hole was only then reported to the Supervisor of Elections Office.
According to local reports, the white hat hacker was arrested last week and charged with three counts of unauthorized access to a computer or a computer system. He was released on a $15,000 bond after a few hours.
Authorities said the researcher hacked into the state elections website twice in January and once into the Lee County elections site in mid-December.
While Levin’s case might also have something to do with politics, experts pointed out that it’s another example of a researcher going too far to demonstrate the existence of a flaw.
“Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data. That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private),” said Troy Hunt, a security expert who has often been involved in the disclosure of serious vulnerabilities.
Hunt pointed out that in the case of SQL injection vulnerabilities such as the one found by Levin, it’s easy to demonstrate that a risk exists without actually accessing any potentially sensitive data.
.@troyhunt is right, and I let hubris get the best of me. From now on I’m asking myself, “What Would Troy Do?” #WWTD https://t.co/oPF5gaCrR2
— David Levin (@realDavidLevin) May 9, 2016
There are many examples of researchers who were prosecuted or at least questioned by authorities due to their methods, including Andrew Auernheimer, who was sentenced to prison for hacking into an AT&T server, and Chris Roberts, who was detained for questioning after reportedly hacking a plane while in flight.
Related Reading: Researcher Says Starbucks Threatened Him Over Gift Card Exploit