back to article Georgia's voter portal gets a crash course in client versus backend input validation

The US state of Georgia has a website for cancelling voter registration, and it's had a bumpy start. The site was created to streamline the process of voluntarily cancelling one's voter registration. It's intended to be used by former Georgia residents who move away to another state, or by those related to citizens who have …

  1. DS999 Silver badge

    This is still a huge vulnerability

    The last four digits of most people's SSN has been breached at least once, so that info is out there and unlike a street address isn't changing.

    They are also placing a lot of faith that there isn't some sort of insider aided exploit. i.e. either someone inside Georgia's secretary of state's office with access to voter registration information could download that information, and copy the list of people registered democrat and make it available to third parties who will do the dirty work of unregistering enough of them right before the registration deadline that it costs Harris the state. Alternatively, if there were some "investigations" by the state house or senate that involved getting hold of voter registration information, the same could be done.

    Of course by the time this was discovered it would be too late, and republican election deniers would claim it is democrat sour grapes. Even if the people who thought they were registered were allowed to vote via a provisional ballot, the election deniers would cry foul and claim it is "election fraud" and none of those provisional ballots should be counted. If they aren't, they win. If they are, they claim fraud and try to submit "alternate electors" to the electoral college. The goal of republicans isn't to root out fraud, because they know there was no large scale fraud that cost Trump the last election, or even a single state in the last election. The goal of republicans is uncertainty and chaos, so that no one trusts the actual election results and it goes to a vote of the house or gets decided by the highly partisan Supreme Court.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is still a huge vulnerability

      "so that no one trusts the actual election results"

      *cough*2016*cough*

      Hillary is STILL moaning about having the election stolen from her.

      How many people said 'not my president' after 2016?

      The Dems sowed the seeds!

      1. Anonymous Coward
        Anonymous Coward

        Re: This is still a huge vulnerability

        still trying to influence elections putin boy?

      2. DS999 Silver badge

        Re: This is still a huge vulnerability

        Please post a link where Hillary said "the election was stolen".

        Trump is the one who keeps falsely claiming fraud every other sentence. I swear, the projection on the right is amazing. Anything your guy has done, you accuse the other side of doing. When are you going to claim that Kamala stole classified documents, engaged in felony bank fraud, and tried to illegally overturn the results of a fair election? I'm sure that's coming, because Trump doesn't know how to do anything but accuse others of his crimes to try to diminish them!

      3. jake Silver badge

        Re: This is still a huge vulnerability

        Hillary Clinton is no longer in politics. In fact, none of the Clintons are in politics, and haven't been for a long time. Certainly not in this election cycle. Why are you still babbling about ancient history?

        Oh, yeah, that's why. Misdirection noted. Typical Republican bullshit.

        1. DS999 Silver badge

          Re: This is still a huge vulnerability

          Also because Trump is so mentally unwell he will sometimes talk about how he's running against Hillary or running against Obama, and like good little cult members they have to ignore that and pretend he's speaking some sort of truth, rather than admit their orange clown is in greater cognitive decline than Biden.

          BTW, that's one of the reasons why Fox News will no longer carry most of his rallies live. They don't want their viewers to see how bad he is, they want them to remember the 2016 Trump and think he's still all there.

      4. Casca Silver badge

        Re: This is still a huge vulnerability

        No, its you who is moaning about it...

      5. Jamie Jones Silver badge

        Re: This is still a huge vulnerability

        That would be a great point, but unfortunately it's a load of old bollocks.

    2. diodesign (Written by Reg staff) Silver badge

      Kinda out of scope

      Yeah I get what you're saying but then you could argue that every site / app that requires that info to do business has a "huge vulnerability" because that sort of info is stolen and traded all day every day on the dark web.

      The scope of this article is the programming of this particular portal, and the way it validates input data, not the pros and cons of using SSNs and ID numbers - just my 2c.

      C.

    3. TheBruce

      Re: This is still a huge vulnerability

      But my question is why even do this? Georgia is still participants in Electronic Registration Information Center(ERIC) unlike some other Republican majority states. Doesnt it already provide this service???

  2. John Robson Silver badge

    "The site rightly included client-side checking of the submission, though when that was bypassed, there should have been an immediate backend check to alert the user that information was missing and that the cancellation request would therefore be rejected by staff."

    Why? - to submit something avoiding the client side check you know you've bypassed it.

    The paper form doesn't automatically warn you if you seal the envelope without filling in all the required fields.

    1. Persona Silver badge

      Agreed. I also quite like the fact that if someone is attempting something nefarious they don't get to realize that not only doesn't it work but also their activities are being detected.

      1. MachDiamond Silver badge

        "I also quite like the fact that if someone is attempting something nefarious they don't get to realize that not only doesn't it work but also their activities are being detected."

        I expect that it reduces the load on servers to do the checking after submission rather than in real time. People should need to submit an email address for notifications since I would also expect that somebody trying to fiddle the system isn't going to offer up a valid email address, but somebody using the system as intended will.

        Voter registrations should be subject to cancellation if somebody hasn't voted in a couple of years, the State has issued a death certificate for that person (it's easy to re-register in the case of an error) or they've changed their address. I've always updated my registration when I've moved and it's no big deal. I think it's one of the things listed to do in the change-of-address packets you get at the post office. The tiny bit of effort is a good indication that somebody is interested in participating. I've never like automated registration schemes that seem like they just lead to fraud.

        1. John Robson Silver badge

          "the State has issued a death certificate for that person (it's easy to re-register in the case of an error)"

          Is it though? I'd have thought being legally dead would make it a right pain.

          1. Baird34

            It is a real pain, believe me. It keeps me up at night wandering the house rattling chains and making ghastly noises.

    2. diodesign (Written by Reg staff) Silver badge

      Q. Why?

      A. To avoid confusion like what happened here. If the front-end knows to expect all the fields, the backend generating the form for clerks should too.

      This feels like the CrowdStrike parameter mismatch IRL.

      C.

      1. anothercynic Silver badge

        Re: Q. Why?

        Correct. That's good programming practice. If anything, the backend should be especially strict... Anything browser-based is not under your (the developer's) control anymore, so any browser-side validation is... iffy.

        1. Michael Wojcik Silver badge

          Re: Q. Why?

          Client-side validation isn't so much "iffy" as "no more than a convenience for the user". It's worthless for ensuring data validity on the back end.

          And proper front-end validation should have a "submit this anyway" option for the user, because sometimes the front end is wrong. The back end is the source of truth.

  3. Anonymous Coward
    Anonymous Coward

    SSN? really?

    I was underthe impression that SSN was no longer permitted to be used for non Social Security Administration related uses.

    1. Persona Silver badge

      Re: SSN? really?

      SSN is still widely used as an authenticator because it is "convenient" to assumed it a secret known only to the holder ....... despite the holder having to supply the number to multiple entities such as banks, so it is not secret. As such it should at best be considered an identifier, but never as an authenticator e.g. "this is who I am purporting" to be and not "this is proof of who I am".

      1. Brewster's Angle Grinder Silver badge

        Re: SSN? really?

        There is no number that can serve as a reliable identifier. As soon as one vaguely secret number is found, it's deployment starts undermining its own usefulness.

        1. John Robson Silver badge

          Re: SSN? really?

          The solution of course is cryptographic signatures.

          1. Michael Wojcik Silver badge

            Re: SSN? really?

            No, it really isn't.

            Now, if you'd said, say, "the solution is identity-based encryption", you might at least have had an argument to make. But "digital signatures" is as much a general solution as "latex paint" is a general solution.

            If your problem happens to be "I need a moderately-durable cosmetic membrane to cover a surface, that's relatively convenient to apply, and can be tinted in any of a wide range of colors", then latex paint looks pretty good. If your problem is "I need something to eat for dinner" or "I need a data structure that offers O(1) insertion and retrieval and no worse than O(n) deletion" or "I need a solution to the epistemological scandal", then latex paint is not great.

            Similarly, digital signatures are pretty good for problems like "I'd like to have some confidence that this collection of bits I received was generated, or at least endorsed, by some entity that knows the private key corresponding to this public key I have". And that certainly is a useful cryptographic primitive in a number of situations. It most definitely does not solve any of a wide range of problems around establishing or guaranteeing the identity of human actors.

    2. Michael Wojcik Silver badge

      Re: SSN? really?

      That's a myth. While the SSN was used more or less exclusively for Social Security for around a quarter of a century after the scheme was finalized in 1936, the IRS started using SSNs for taxpayer identification in 1962, and its use as a national identifier grew from there. Puckett notes there were public concerns about privacy from the start, but mostly around other information collected by the SSA (particularly by certain branch-office employees who added their own questionnaires to the official forms) rather than regarding the number itself.

      The "Not for identification" banner was removed from SSN cards in 1972.

  4. Brewster's Angle Grinder Silver badge

    BACK ENDS are not for WIMPS

    I've lost track of the number of times I've been phone up and asked for missing info or had it explained that the info is off the edge of their page...

  5. Anonymous Coward
    Anonymous Coward

    "prevent malicious actors from interfering with American democracy"

    Including the fat orange one?

    1. Anonymous Coward
      Anonymous Coward

      Re: "prevent malicious actors from interfering with American democracy"

      Is "American democracy" the same as "our democracy" which really means "maintain the corrupt status quo so we don't go to prison"?

      No-one seems to be worried that Harris and Walz are busy spreading an internet meme as if it was fact

      https://www.snopes.com/fact-check/jd-vance-couch-cushions/

      1. jake Silver badge

        Re: "prevent malicious actors from interfering with American democracy"

        "spreading an internet meme as if it was fact"

        Oh dear. You seem to be far too uneducated to be able to afford a string of pearls to clutch.

        Read my lips: It Was A Joke. Everybody in the audience laughed, because in that context it was funny. (Maybe not to the MAGA[0] cult, admittedly.)

        During the meanwhile, the question remains: Has Vance got the cajones to get off his couch and debate Wenz? Somehow, I doubt it.

        [0] MAGA: Muppets Annoying Genuine Americans

        1. Anonymous Coward
          Anonymous Coward

          Re: "prevent malicious actors from interfering with American democracy"

          And if Trump of Vance made a joke you have a toddler grade tantrum and start screeching about 'misinformation'.

          1. Casca Silver badge

            Re: "prevent malicious actors from interfering with American democracy"

            Sure anon maga muppet

          2. jake Silver badge

            Re: "prevent malicious actors from interfering with American democracy"

            Actually, if Trump or Vance "made a joke", I'd be utterly flabbergasted. Those two lying sacks of shit have backed themselves so far into their own made-up corner of pseudo-reality that it's painfully obvious that neither of them would recognize a funny if it bit them.

            During the meanwhile, the sane among us will continue laughing at their expense.

  6. wub

    Why does unregistering have to be fast, easy and convenient?

    My father was a Georgia resident when he decided to move out of state to be closer to me and my family. Sadly, he died a relatively short time later. At the time he died, among my tasks as executor was cancelling his voter registration. He had registered in my state prior to his death, so I notified the registration authorities that he had died, and enclosed a copy of his death certificate with the letter.

    How hard is that?

    What's troubling me is that I'm reasonably sure that we did not actively cancel his registration in Georgia when he registered here, assuming that the state voter registration authority would do that as a matter of course. Hmmm. When I moved to this state, I'm pretty sure I didn't cancel my previous registration either, for the same reason.

    In any case, I have read many times that combing the voter registration lists for the dead and other anomalies is a routine task for those folks, so they should catch most of this without any outside assistance.

    I think the whole idea behind this particular website is wrong, and the process seems to be just begging to be abused.

    1. whoseyourdaddy

      Re: Why does unregistering have to be fast, easy and convenient?

      Isn't there a database of deceased to prevent stolen identity financial fraud?

  7. Gary Stewart

    ERIC

    There is a system in place for states to pass voter registration and voter information changes among themselves to help keep the records across states current. It is voluntary and was adopted by 31 states. In the last two years I believe nine Republican led states have dropped out due to a campaign based on a blatant lie (sound familiar?). Since then those states have struggled to keep their registration records up to date. Why anyone that wants to "improve voting security" would cripple their ability to maintain accurate voter registration data is beyond me. Then again, why anybody that thinks that under 0.001% voter fraud (see next two paragraphs) equates to a voter fraud problem and stolen elections needs a long stay in the loony bin.

    Several years ago then republican Governor Rick Perry and then republican Attorney General now Governor Greg Abbott spent three years and 10 million taxpayer dollars looking for the "massive" voter fraud they said was occurring in Texas. After investigating 5 years of voting they found 11 cases, only two of which were considered prosecutable. Most of them (6) were for mailing the voter registration form from an address that was not the home address, although technically this is not voter fraud since it does not indicate that illegal votes were actually cast. So while there was voter fraud it was microscopic not massive, and not even close to relevant to the results of any election. When asked by the Dallas Morning News if this was a proper use of state resources and money their reply was that they did find voter fraud!

    The estimated amount of voter fraud in the United States is between 0.00006% and 0.0009%. Judging by the results of the previously mentioned investigation and other investigations in other states this appears to be accurate. So if you want to claim massive voter fraud I need to see proof, real proof. All the evidence to date indicates that it does not exist except in the minds of some very gullible people.

  8. disgruntled yank

    Why?

    I have moved between jurisdictions a number of times since I reached voting age, and I have never bothered to cancel my registration in the jurisdiction I was leaving. Anyone trying to vote under my name at an old address would have encountered a number of difficulties.

    1. MachDiamond Silver badge

      Re: Why?

      "Anyone trying to vote under my name at an old address would have encountered a number of difficulties."

      In some jurisdictions, maybe. If somebody knew your name/address and that you moved, they could show up at the polls on voting day and vote if there was no ID requirement. If a mail-in ballot showed up at your old address, the current resident could fill it out and send it in since some judges have ruled that those all have to be counted even if they lack a verifiable signature.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like