The District of Columbia is testing a system to allow overseas military personnel submit absentee electronic ballots via the internet. Obviously security is a major concern and the followed a suggestion often made by the security community to open the system to the public and allow white-hat hackers to try and find exploits. Here is the account of one team who participated and found a vulnerability within 36 hours.
By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename “ballot.$(sleep 10)pdf” would cause the server to pause for ten seconds (executing the “sleep 10” command) before responding. In effect, this vulnerability allowed us to remotely log in to the server as a privileged user
As a result, deployment of the system has been delayed.
This is exactly the kind of open, public testing that many of us in the e-voting security community — including me — have been encouraging vendors and municipalities to conduct.
But it could have turned out differently. If a black-hat got there first, they could fix the vulnerability after first leaving themselves a backdoor. Then the test comes out looking like a success, it goes live, and …
Cheap Talk 
4 comments
Comments feed for this article
October 7, 2010 at 11:29 pm
itovertakesme
Really good point!
November 30, 2012 at 1:04 pm
Jacqueline
29th October 2010Firefox has now been patched and it’s no logenr vulnerable to this attack. If you have not done so make sure Firefox has its latest updates applied.
October 17, 2010 at 7:37 pm
Carl Feynman
If the software development process is at all sane, one can’t fix a software bug on a test system and expect that it is now fixed on all future iterations of the system. The source code is kept on a computer other than that being tested, and changes to that code can’t be made from a test machine. It’s just like using whiteout to fix a typo in a review copy of a book– that won’t fix the typo in the book when it’s eventually published.
October 17, 2010 at 9:36 pm
jeff
true, but by patching the test system i make it appear that everything was fine, then i leave myself a backdoor into the *system*, and do damage once the software goes live.