Ok y’all, time to buckle up. It’s time for me to post about yes, yikes, politics and data leaks. T
Ok y’all, time to buckle up. It’s time for me to post about yes, yikes, politics and data leaks. The Saga Begins! Shortly after 8 PM Saturday, Mountain Time (MT) / 10 PM Eastern / 3 AM Sunday, Greenwich Mean Time (GMT), Reddit user BattyBoomDaddy alerts r/InTheNews and other subreddits of a security/privacy issue with The Trump campaign’s DontTouchTheGreenButton.comThe problem being brought up in that reddit post, is that anyone in the US* could go to the website, start filling out the “Name” section and see a select list of Maricopa County Voters** with their full legal names and full addresses.The image above, though censored, is a real example of the name search results. If you started to write “Smith” for example, it would show the first few results with Smith in the name. Writing “Smith Tempe” would narrow it down to any results containing both Smith and Tempe, such as “[Person’s Name], [Street Number] Smith Rd, Tempe AZ”Selecting any of these results would result in it filling in the selected name in the “What is your name?” answer box AND filling the address into the address portion. You know. The one you’re supposed to fill out to confirm you identity. NOTE: Full names & addresses have been censored by the OP of the Imgur post about this (see the end of the post) in order to respect privacy & comply with Arizona law. Black boxes cover the names that were provided, red covers street addresses & zip codes that were associated with those names. *VPN and Tor exist, as does Web Archive, so like, you could youse those if you aren’t in the US.**This was not a FULL list of all Maricopa County voters. It DID NOT LIST ALL voters, nor all Republican voters. It is unclear where the data is from and what the criteria was for inclusion in the database.Part Two: Reddit RumorsAt least one reddit user claimed to use an “SQL injection to pull Names, Addresses, DOBs and last 4 of SSNs.” The post or posts may have been removed, but the story continued despite no additional sources confirming the story. Ax Sharma from Bleeping Computer picked up on this story, did some digging, & were unable to confirm or verify the claims of an SQL injection being able to have been used, nor were they able to find social security numbers. A reddit user also alleged that the “API gives a voterid data point in the response payload. I can confirm that the voterid data point is the actual Voter ID # for the state.” Bleeping Computer did verify here that something called “voterid” was in the database, but not if it were actual voter identification numbers that would be on voter registration cards.Reddit users started crossposting the HECK out of this story and also started reaching out to various Arizona voting officials and tech contacts to get the story out.Part Three: Twitter users start picking up on the story, digging into it, and providing proof by publishing the data they can scrape together.Tim Carambat reports on the issue & asks Amazon Web Services & Algolia (The website’s search provider) to take down the information. Carambat may be the first to report the database has 163K entries Richey Ward also starts covering the news, analyzing their findings & also reporting that the database has over 163k records.Adam Surak of Algolia tweets that if they get confirmation from Maricopa County confirms the data shouldn’t be accessible, then they can disable the search feature.Cyber Security & National Security Investigative Journalist Kim Zetter confirms that “While voter records are public records, Arizona law only provides access to political parties or to anyone who wants to view them in a local election office. They should not be accessible over the internet” Multiple people on reddit & twitter post start reporting that the problem has been fixed.Adam Surak tweets a confirmation that the database is empty & he has "a green light to shut it down immediately” if someone at DontTouchTheGreenButton.com repopulates the dataPart Four: So wait, what’s the problem if it was only names and addresses?Voter records are public records but… as different US states have different laws on who can access voter information, how they can access it, and more. The long & short of it is that Arizona doesn’t allow anyone to "distribute, post or otherwise provide access to any portion of that information through the internet” as mentioned above and as stated here on the NCSL website.Final ThoughtsThe information WAS taken down, but, well… once something was out there, they’re the possibility someone got that information and has it.Individuals have brought this story to the attention of MANY levels of local government, journalists, news organizations, etc. So you may see this story soon. Or it may disappear. Who knows.This Post has Been Edited & Modified for Tumblr with Permission from the OP of the Rundown Post on Imgur -- source link
#arizona news#maricopa county#privacy#voter information#private information#data leaks