During the recent ASSU election, the ballot website exhibited a security flaw that could have allowed individuals to tamper with voting results had it gone unchecked. Three Stanford students discovered the bug when trying to access the website to vote and immediately notified the ASSU Elections Commission, which had the vulnerability patched.
The vulnerability became evident when the website displayed a server error when the site could not be accessed. Due to a bug in the site’s code, the server error gave access to troves of sensitive information.
“The debug flag had been set to ‘true’ on the server, which basically means it shows all the information that could be helpful in debugging it,” Russell Kaplan ’17 said. “When we were all looking at this page, it was clear that there was definitely sensitive information on the page. One of them was the credentials for the database used by the ASSU to handle all of [its] voting. And the username and the host and the password for the database were just exposed on the website once you find a server error.”
Kaplan discovered the bug along with two other CS106 section leaders, Jason Teplitz ’17 and Sam Redmond ’18, while working in the LaIR on the night of April 15. Redmond received an email alerting him to vote in the ASSU election from his dorm but was presented with a server error when he tried to access the link. The three of them began investigating the page when they noticed the information that was being displayed.
“We started investigating more, and sure enough, we were able to log into the server from the computer in the LaIR, and from there were able to read and write permissions to every single field in the database,” Kaplan said.
According to Kaplan, this “severe” security vulnerability made every individual’s voting record visible and allowed for prior submissions to be altered.
“You [could] modify people’s votes and … rig the election,” he said.
By the time they identified the bug, there had been a few hundred votes cast. The three students were not sure if they were the first to catch the bug and immediately emailed ASSU Election Commissioner and fellow section leader Saj Sri-Kumar ’16 notifying him of the vulnerability. Sri-Kumar, whom the students described as “very responsive,” then notified an individual who had access to the site’s code and had the incorrectly set debug flag patched within minutes.
While the individual bug, which Teplitz described as trivial and easy to avoid, was fixed, the students feel that the site likely has other security vulnerabilities.
“I’m not at all convinced that there aren’t other problems with the site, but they’ve taken care of that one,” said Teplitz. “It feels like there are probably other vulnerabilities to this website. It doesn’t feel like a secure voting system by any means.”
Sri-Kumar insists that at no point was the election’s integrity at risk, noting that votes are saved in multiple places.
“What they did was very helpful, but we had a number of security measures in place,” Sri-Kumar said.
Sri-Kumar also explained that, to the best of his knowledge, the website itself was never actually breached.
“At no point did anybody breach anything. Even if they had, it wouldn’t have made any material impact,” he added.
The website is passed down year to year and adjusted accordingly. The code is stored on a private server, separate from the general ASSU server, for security purposes. Only the election commission has access to it, according to Sri-Kumar.
Despite Sri-Kumar’s confidence that the election was never in jeopardy, Kaplan, Teplitz and Redmond felt that the site’s information could have easily been manipulated.
“It wouldn’t be hard at all for just one person, a student or not even a student, to just completely invalidate the voice of the student,” Teplitz said. “It’s the end goal of trying to exploit the system. You end up with complete control over where the data goes, so you can change the entire ballot, you can change people’s names, statements, rewrite how much money everybody is getting in special fees.”
According to Teplitz, it would have been possible to set automatic triggers that would divert votes from one candidate to another.
“You can honestly probably do all of this and nobody would have noticed,” he said.
The ASSU did not feel it was necessary to notify students of the security flaw.
“Especially with tensions running high, it didn’t make sense to tell people there was a problem when there was no problem,” Sri-Kumar said.
Kaplan, however, feels students should have been notified of the vulnerability, given how close many of the elections were.
“The margin of victory was very slim in some of the races — voters should have assurance that outcomes reflect the student body’s decision and not the whims of a hacker,” Kaplan said.
Kylie Jue contributed to this report.
Contact Sam Premutico at samprem ‘at’ stanford.edu.