this post was submitted on 05 Aug 2024
199 points (98.5% liked)
Technology
59378 readers
2959 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This portal is a dumb idea, but most developers know you don't let on when a hack is attempted and you detect it. It's common to return a "success" message in hopes the "hacker" stops trying and moves on. Meanwhile, you log the attempt (and don't actually cancel a voter registration).
Though, I don't have high hopes the state actually built a secure site here.
Yeah, that tells us we just don't know if this was a problem after all. Evans's statement basically claims it wasn't a vulnerability. If that's correct, then the worst thing might be if someone's browser tripped on the validation JS and allowed them down a blind alley execution path. If the claim is correct and if the page's JS never shits the bed, then in that case the only negative outcome would be someone dicking with the in-browser source could lead themselves down the blind alley, in which case who cares. The only terrible outcome seems like it would be if the claim is incorrect--i.e. if an incomplete application submission would be processed, thus allowing exploit.
Short of an internal audit, there's no smoking gun here.
It's still grossly negligent from a security perspective.