Chicago Board of Elections Pwned

By Matt Wood in Miscellaneous on Oct 24, 2006 12:21PM

Part of us thinks we're paranoid for protecting our personal identity like the Holy Grail, changing passwords every couple months, shredding every piece of paper with even a scrap of identifying data on it before it leaves our house, refusing to ever give out our Social Security number unless it's absolutely necessary. The thing is, we're not so much worried about someone actively going after this information as we are about it falling into the wrong hands out of sheer negligence. And this morning, our fears are confirmed as we read about the latest incident of all that tinfoil origami going to waste.

Peter Zelchenko, a 43rd Ward candidate for alderman who also happens to know a thing or two about computers, reported a bug in a Chicago Board of Elections website that has exposed at least 1 million voters' Social Security numbers for the past six years. The site allows voters to check their registration status by entering their name and address. Zelchenko notified the Sun-Times and the Board that by using a common hacking technique, he could find out Social Security numbers, dates of birth, etc., and even change data in the database. The Board is still trying to determine if anyone exploited the loophole, but if it's been there for six years, we're going to say yes.

What bothers Chicagoist is that problem could've been fixed years ago by applying the proper security patches to their database server, though bad design contributed as well (turns out they haven't needed SSNs to identify voters for three years now). The Board says they've fixed the problem, but if you try the technique Zelchenko demonstrated by entering a single quote for the last name at the registration site, you still see evidence of sloppy programming, which makes us wonder how many more holes are lurking out there.