Scribd Logo
Upload

Welcome to Scribd!

  • Possible Loophole Notification

    Uploaded by

    KING 5 News
    96 views3 pages
    Tina Podlodowski wrote a letter to Agnes Kirk, the Chief Information Security Officer of the Washington State Office of Cyber Security, to report a potential cyber security risk involving the state's voter registration database. Ms. Podlodowski explained that she was alerted that voters' private information like phone numbers and emails were accessible online through the database, in violation of state law. She provided step-by-step instructions on how to access this private voter data by navigating to a backend pathway on the MyVote website using public voter registration information. As an example, she included a URL that contained her own private contact information. Ms. Podlodowski requested that Ms. Kirk investigate this issue and take appropriate action to remedy the

    Original Description:

    KING

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Tina Podlodowski wrote a letter to Agnes Kirk, the Chief Information Security Officer of the Washington State Office of Cyber Security, to report a potential cyber security risk involving the state's voter registration database. Ms. Podlodowski explained that she was alerted that voters' private information like phone numbers and emails were accessible online through the database, in violation of state law. She provided step-by-step instructions on how to access this private voter data by navigating to a backend pathway on the MyVote website using public voter registration information. As an example, she included a URL that contained her own private contact information. Ms. Podlodowski requested that Ms. Kirk investigate this issue and take appropriate action to remedy the

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    96 views3 pages

    Possible Loophole Notification

    Uploaded by

    KING 5 News
    Tina Podlodowski wrote a letter to Agnes Kirk, the Chief Information Security Officer of the Washington State Office of Cyber Security, to report a potential cyber security risk involving the state's voter registration database. Ms. Podlodowski explained that she was alerted that voters' private information like phone numbers and emails were accessible online through the database, in violation of state law. She provided step-by-step instructions on how to access this private voter data by navigating to a backend pathway on the MyVote website using public voter registration information. As an example, she included a URL that contained her own private contact information. Ms. Podlodowski requested that Ms. Kirk investigate this issue and take appropriate action to remedy the

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 3

    Tina

    Podlodowski
    1620 7th Ave. W
    Seattle, WA 98119


    September 7, 2016

    Agnes Kirk
    Chief Information Security Officer
    Washington State Office of Cyber Security
    1500 Jefferson St.
    Olympia WA 98504

    Dear Ms. Kirk,

    Recently it has come to my attention that voters personal emails and phone numbers, among
    other private information, are available online to anyone with basic technology skills, in violation
    of state law. I am coming to you with this information with the intention to follow the recognized
    protocols for reporting a potential cyber security risk to the voters of Washington.

    RCW 29A.08.710 makes it clear that:

    (2) The following information contained in voter registration records or files regarding a
    voter or a group of voters is available for public inspection and copying, except as provided
    in RCW 40.24.060: The voter's name, address, political jurisdiction, gender, date of birth,
    voting record, date of registration, and registration number. No other information from
    voter registration records or files is available for public inspection or copying.

    The facts of this loophole in the states voter registration database, as I understand them, are as
    follows:

    1. Voter registration information is public and anyone can download at
    http://www.sos.wa.gov/elections/vrdb/download/vrdb-current.zip

    2. Using this data and knowledge about a back end pathway, anyone can access private
    information data fields including personal cell phone, personal email, ballot delivery type,
    and military status. I have included below the step by step instructions I received when I
    was alerted of this security breach.

    3. Anyone with basic programming skills and knowledge about these weaknesses could
    conceivably automate this data lookup and harvest private data from millions of
    Washingtonians.

    Step-by-Step: How to view illegally posted MyVote personal info about any registered voter
    in WA.
    1. Go to https://weiapplets.sos.wa.gov/MyVote/

    2. Log in to MyVote with name and bday (available using the public voter registration data
    available for download on the Secretary of States website).
    2. Navigate to the Voter History page/tab.
    3. Choose Inspect element (on a PC in Firefox) or choose View Source located under
    developer in the view menu (on Mac in Chrome)
    4. On new Inspector/ view source MyVote page, on top menu bar, click Network
    5. Click Reload button on My Vote website.
    6. On second menu bar, click File/Name header button. This sorts the File column
    alphabetically.
    7. Scroll down and click on the File column entry beginning with Voter.ashz?f=
    8. Click Headers button if not already highlighted in blue.
    9. The URL you want is the one in the first line, labeled Request URL: Highlight with
    mouse or doubleclick and copy it. example:
    https://weiapplets.sos.wa.gov/MyVote/services/Voter.ashx?f=00904208217620918324804820622017
    0194014183172085&l=253131186053222010227032156089098243024239005090&b=162237110011160153071
    043162021040248036215171123&v=06304002416719325207604106006305011

    10. Now open a new blank tab in your browser and paste in that URL.
    11. Note the fields for phone, email, ballot delivery method, militarythese are all
    personally sensitive information prohibited by law from disclosure.



    The next section of this letter shows example screenshots my own information to illustrate these
    points:




    Back end pathway URL for my personal information (only active if logged in to MyVote as Tina
    Podlodowski (Birthday 08/26/1960):

    https://weiapplets.sos.wa.gov/MyVote/services/Voter.ashx?f=009042082176209183248048206
    220170194014183172085&l=253131186053222010227032156089098243024239005090&b=
    162237110011160153071043162021040248036215171123&v=063040024167193252076041
    06006305011h

    My voter information available at the link above includes a personal phone and email address.



    Again, I am coming to you with this information because my intention is to best follow the
    recognized protocols for reporting a potential cyber security risk to the voters of Washington. To
    date I have not made this matter public because I hope this issue can be researched and remedied
    swiftly without further exposing vulnerable data. I ask that you research and if needed rectify this.
    I would appreciate knowing the final resolution, if and how this data may have been harvested,
    and any safeguards that are put in place if action is required.

    Thank you in advance for your prompt attention to this potentially serious security matter.

    Sincerely,



    Tina Podlodowski

    You might also like