Not every election hack is a blockbuster — but even small-scale attacks on states’ cyber infrastructure have the potential for catastrophic effects. After receiving a tip from a small cyber firm called Appsecuri, FiveThirtyEight has confirmed that two states, Alabama and Nevada, had vulnerabilities that left them open to potential compromises of their state web presences.
Earlier this month, Appsecuri approached FiveThirtyEight and said it found potential flaws on several states’ websites that would allow for information to be tampered with. It provided a number of vulnerabilities to FiveThirtyEight; FiveThirtyEight is only reporting those it could verify with the states affected.
Alabama has acknowledged that one of its state sites could have been penetrated to let bad actors tamper with an official webpage and potentially spread misinformation about voting and elections over social media. Nevada has acknowledged that a state site has a vulnerability identified by Appsecuri but disputes Appsecuri’s allegation that the weakness poses a risk to the state’s election system. Officials from both states said the flaws did not have the potential to allow the posting of erroneous vote counts to official pages. But outside experts suggested that there’s still reason to be concerned.
“A lot of these vulnerabilities are easily classified as a cosmetic error until someone thinks through how they can be used for other purposes,” said Harri Hursti, a cybersecurity expert with a focus in election security. A hacker’s attack may seem minor now, but it could grow into a bigger, more urgent problem come Election Day.
Appsecuri, which is based in India but has offices in California, has been in business since 2015, according to Hemant Bansal, the firm’s head of security research. He said in an interview that the firm works with companies to secure their web presences. Bansal said the firm started by working to win bug bounties from big corporations — a common practice of finding vulnerabilities in their websites and reporting them for a cash reward. The firm does something similar to drum up new business now. “If we find something, we’ll report it to you without you having to pay us, but we’re trying to demonstrate to you how good our security research is and [hope you] consider us for future engagement,” said David Nevin, the firm’s vice president of business development.
Nevin said that all the news about election hacking led the firm to think about where it might look to prove vulnerabilities and generate business within government entities. Nevin and Bansal said they reached out to all the entities about the potential vulnerabilities but never heard back.
In Alabama, the secretary of state’s office acknowledged that a vulnerability outlined by Appsecuri allowed a user to alter the appearance of a state elections page. The secretary of state’s office said that vulnerability has now been fixed.
John Bennett, deputy chief of staff for Alabama Secretary of State John Merrill, said that while an alteration of the page could have appeared on the user’s end, that user wouldn’t have been able to upload the erroneous information to the state’s official website. Still, he acknowledged that the potential for a user to alter the appearance of a state election page was problematic. If an erroneous screenshot with the trappings of an official pronouncement made its way around the internet, it could harm Americans’ trust in their elections.
“We’re at the point with elections where we are acknowledging that one of the biggest battles is to protect perception,” Bennett said. “We saw similar stuff in Doug Jones’s Senate special election where we had people saying screenshots of social media posts were edited to show a bunch of people agreeing to be bused in from Mississippi, for instance. That just creates problems and speculation.”
Nevada officials said that of the vulnerabilities outlined by Appsecuri, they already knew of one affecting the state’s business website, an online home for business document filings, but it had not been rated a high enough risk to fix immediately.
Wayne Thorley, Nevada’s deputy secretary of state for elections, said that the state had yet to fix the glitch — which he said was first discovered by an internal state scan in December — because of budgetary concerns. “We also work in a resource-constrained world in government. We evaluate those risks and rank them and prioritize them and handle the ones we can handle.“
While Appsecuri had given the flaw a “high” security rating, Thorley said the state had ranked the vulnerability’s risk as “medium,” noting that the site contained no election information and that the reporting of election results could not be affected. “If it’s a separate server, it’s likely that they are technically right,” Hursti said. “That doesn’t mean a new clever attacker who could redirect the attack won’t be successful.”
Appsecuri also claimed that login pages for the state secretary of state’s office were susceptible to the theft of usernames and passwords. But Thorley said the pages in question had “no functionality.” “Those URLs, they don’t work, they don’t do anything,” Thorley said. “They’re just pages that mirror our actual single sign-on.” When asked by FiveThirtyEight what purpose the pages serve, Thorley answered, “I don’t know why they exist.”
When FiveThirtyEight asked Hursti about Nevada’s stance, he saw a red flag. “Why would you even let people see that login environment?” Hursti said. “People can get ideas, and also people can take a look on that page and analyze it and gather intel for an attack.”
With five months to go until the midterm elections, the subpar preparation of state websites and election systems remains a concern for cybersecurity experts. According to Hursti, the potential vulnerabilities outlined by Appsecuri were basic. Using slang for relatively inexperienced hackers, he called them “‘script-kids’ vulnerabilities, which anyone can find.” Hursti said that no website “with anything meaningful” should have these kinds of vulnerabilities on its site in 2018.
While not every web vulnerability is inherently or immediately exploitable — it might be a weakness that has no clear path to causing damage — Hursti said attackers can always discover new ways to weaponize these flaws.
“Sometimes the vulnerability is outright ignored because it has been determined to be unexploitable,” he wrote in an email. “The argument that [the] vulnerability is unexploitable, while sometimes real at the moment of making that determination, is also [a] dangerous one.” Attackers just might have not yet discovered the ways to exploit it yet.
Read more: How bad election hacking could get