David Levin, CTO of pentesting company Vanguard Cybersecurity, has made a critical mistake while testing the security of the Lee County (Florida) elections website: he accessed and used usernames and passwords of employees in the elections office in order to see what other information he could access – all without official permission.
He accessed the info by performing simple SQL injections via Havij, a freely available SQL injection tool.
But what perhaps irritated officials even more was the fact that he first informed Dan Sinclair, one of the candidates running for the Supervisor of Elections position, about his findings. He then recorded and published a video on YouTube explaining how easy it was to break into those sites. Only then he notified the right authorities and the elections offices about what he did.
Levin, who considers himself to be a security researcher and says he did it all to help the election offices secure their websites, has made the mistake of extracting and using internal data.
Security expert Troy Hunt says that while the “oversights on that website were egregious,” Levin should have stopped and reported the vulnerabilities before sucking out data from the site.
“That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private),” he noted, and advised security researchers to “stop early, report ethically.”
“Frequently, with a risk like SQL injection, a single request with a single erroneous character is enough to establish with a fairly high degree of confidence that a risk exists,” he explained. “For example, a URL with a query string such as ID=123 may return an internal SQL exception to the page if a single quote is appended thus malforming the underlying query. That exception won’t return any personal data and it won’t get you arrested (certainly I’m aware of no precedents), but it’s enough to demonstrate an underlying risk.”
Levin was arrested on May 4 (he turned himself in after an arrest warrant was issued), and released a few hours later under a US$15,000 bond. He is currently facing three third-degree felony counts of property crime.