In Chicago, voter registration site has had security hole for six years

Simple programming technique could expose personal info of a million users, allow hacker to change information on the site.
Written by Richard Koman, Contributor
The Chicago Board of Elections has been running a website that for the past six years, at least, has allowed a simple programming hack to expose the personal information of a million registered voters, the Chicago Sun-Times reports.

Peter Zelchenko, a 43rd Ward aldermanic candidate and computer expert, informed the board of the problem, which immediately deployed a fix. Chairman Langdon Neal ordered his staff Monday to hire an outside forensic computer consultant to "look at the security of the system and also look at computer logs to determine if there has been any hacking or wholesale downloading," according to board spokesman Tom Leach.

Ironically, the problem was created by a security enhancement. Until six years ago, voters could search their registration using SSN, birthday or name.

"The new program blocked out the social numbers and the date of birth, which are still in our central files, but they apparently didn't completely close the door on the Internet," Leach said.

How does the hack work? Zelchenko demonstrated for a Sun-Times reporter.

Hacking the Board of Elections site was as simple as typing a single quote character in the "Last Name" box on chicagoelections.com. Well-known to hackers as an "escape character," the single quote symbol brought up a line of computer code that could guide a knowledgeable person to all the information in the city voter registration database, including Social Security numbers, birthdays and home addresses.

Zelchenko, who is 44 but got his first job working in computers at age 14, demonstrated the flaw by taking about 30 seconds to bring up a Sun-Times reporter's Social Security number. Zelchenko also obtained the Social Security numbers of the three members of the Chicago Board of Elections, which the Sun-Times was able to confirm were accurate.

The website appears to be updated every 24 hours so any changing of the database would only last that long.

Though it wouldn't change the actual polling places, it "could cause a lot of confusion" by misdirecting people who go to the elections Web site to find out where they vote, Zelchenko said. Zelchenko said it would be short work to write a script, or small program, that could automatically download the entire database.
Editorial standards