Pennsylvania took down its online voter registration Wednesday after discovering it failed to protect personal data, and the vulnerability was apparently caused by a programming error.
A Digg user reported earlier this week that Pennsylvania's online voter registration Web site exposed voters' personal information.
"This was discovered after filling out a registration myself," the Digg contributor wrote. "Being a security conscious programmer, I decided to test."
The programmer said that the printable voter application -- which users could fill out online, print out, and mail to election officials -- was not protected by authentication or validation.
Before the site shut down, PDFs containing names, dates of birth, and portions of Social Security numbers of some voters could be accessed through the state's servers.
"Had their programmer(s) validated that a requested ID belonged to the user that was logged in, there would have been no data leak," the programmer explained. "There was absolutely no validation at all and ANYONE (didn't even have to be logged into the SURE Portal System) could make requests to the script and retrieve data. Something as simple as that really makes you wonder about the security of the rest of our government systems which could be storing confidential information."
In addition to making voters vulnerable to identity theft, the programmer stated that someone could change a voter's party affiliation, print out the form, and mail it in, preventing people from voting in primaries.
State officials did not comment on the number of voter records that could have been compromised. In the 2004 presidential election, 5,731,942 registered voters went to the polls. State Democrats are holding their 2008 presidential primary on April 22.