Security researcher arrested for disclosing US election website vulnerabilities

screen-shot-2016-05-09-at-09-48-08.jpg

Security researcher David Levin was arrested and held by US law enforcement after breaking into and disclosing vulnerabilities in the Lee County state elections web domain.

According to the Florida Department of Law Enforcement, the 31-year-old Vanguard Cybersecurity chief compromised the Lee County website on 19 December last year.

The researcher’s findings were disclosed in a video with Dan Sinclair, a candidate running against Supervisor of Elections Sharon Harrington for the post.

In the video below, released publicly on YouTube, Levin discusses how a simple SQL injection launched against the website led to the theft of data from the elections database which had no encryption to speak of.

Usernames and passwords were among the data which the researcher — and cyberattackers — were able to steal.

“This is about as sophisticated as a system was 10 years ago and this is 2016,” Levin says.

[embedded content]

Sinclair noted that the elections office was “a little behind” with technology, despite spending “millions of dollars a year.”

When US law enforcement caught wind of the disclosure, they accused Levin of three counts of third-degree felony property crimes. The researcher later handed himself in — leading to a six-hour stint in a cell and release on a $15,000 bond.

Levin’s laptop, smartphone and storage devices were also seized.

While there may have been some politics at play here, security expert Troy Hunt, owner of Have I been pwned?, noted that it was not the disclosure of the vulnerability which was necessarily at fault — but the use of a tool to harvest data from the vulnerable database after the bug was found.

Troy commented:

“That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private). The vulnerability was then recorded and published to YouTube after which the site owner was notified.

In this particular case, I suspect there may also have been some politics at play.”

In a tweet, Levin said:

screen-shot-2016-05-09-at-09-33-07.jpg

screen-shot-2016-05-09-at-09-33-07.jpg

More security news

Read on: Top picks