According to a comprehensive report published Tuesday in Politico, Lamb wrote a simple script that would pull records off the website of Kennesaw State University’s Center for Election Systems, which under contract with Georgia, tests and programs voting computers for the entire state. By accident, Lamb’s script uncovered a breach whose scope should affect both Republicans and Democrats alike. Reporter Kim Zetter writes:
Within the mother lode Lamb found on the center’s website was a database containing registration documents for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to the server on Election Day; and software files for the state’s ExpressPoll poll books — electronic computers used by poll workers to verify that a voter is registered before allowing them to cast a vote. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare a paper and electronic ballots, tabulate votes and produce summaries of vote sum.
The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to the public, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.
And there was another problem: The site was also using a years-old version of Drupal — CMS — that had a critical software vulnerability long known to security researchers. “Drupageddon,” as researchers named the vulnerability, got a lot of attention when it was first broke out in 2014. It would let intruders easily seize control of any site that used the software. A patch to fix the hole had been available for two years, but the center hadn’t tried to update the software, even though it was widely known in the security community that hackers had created automatic scripts to attack the vulnerability back in 2014.
Lamb was concerned that hackers might already have penetrated the center’s site, a situation that wasn’t improbable given news reports of intruders probing voter registration systems and election websites; if they had breached the center’s interface, they could potentially have planted malware on the server to infect the computers of county election workers who accessed it, thereby giving Hackers a backdoor into election offices throughout the state; or they could possibly have altered software files the center distributed to Georgia counties prior to the presidential election, depending on where those files were kept.
Lamb privately reported the gap to University officials, the report notes. But he learned this March that the critical Drupal vulnerability had been fixed only on the HTTPS version of the site. What’s more, the same mother lode of sensitive records remained as well. The findings meant that the center was operating outside the scope of both the University and the Georgia Secretary of State for years.