By Jack Gillum, Jessica Huseman, Mike Tigas and Jeff Kao, ProPublica; and Stephen Fowler, Georgia Public Broadcasting – Article source

A ProPublica analysis found that the state was busily fixing problems in its voter registration hours after the office of Secretary of State Brian Kemp, the Republican candidate for governor, had insisted the system was secure.

On Sunday morning, Georgia Secretary of State Brian Kemp unleashed a stunning allegation: State Democrats had committed “possible cyber crimes” after a tipster told party officials he had found gaping security holes in the state’s voter information website. The affair quickly degenerated into volleying charges about whether Democrats had promptly informed officials of the possible security breach.

A representative for Kemp, the state’s Republican candidate for governor, denied vulnerabilities existed in the state’s voter-lookup site and said the problems alleged could not be reproduced. But in the evening hours of Sunday, as the political storm raged, ProPublica found state officials quietly rewriting the website’s computer code.

ProPublica’s review of the state’s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems. Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.

ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.

ProPublica’s attempt to take the next step — to poke around the concealed files and the innards of the operating system — was blocked by software fixes made that evening. According to the tipster’s recipe, it was also possible to view a voter’s driver’s license, partial Social Security number and address.

Kemp is locked in a tight race with Stacey Abrams, a former Democratic leader in the Georgia House. On Monday, his spokesman said the vulnerabilities raised could not be replicated. “There was nothing to substantiate” the claims, said Kemp spokeswoman Candice Broce.

ProPublica’s test on Sunday found traces of the same vulnerabilities the tipster described in his digital recipe. Details of the alleged vulnerabilities were provided to ProPublica by the website WhoWhatWhy.org, which first reported on the security issues this weekend.

Broce said the ability to see where files were stored was “common” across many websites, and she said it was not an inherent vulnerability. She did not deny that the website’s code was rewritten and would not say whether changes were made as a result of the possible security holes. Broce clarified Monday she was instead referring to a webpage’s source code.

“We make changes to our website all the time,” Broce said. “We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.” By Monday afternoon, the page did not appear to be static in the way Broce described, and she did not respond to a request to provide evidence of the change.

See the rest of the article here.