Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time.
ewan • October 14, 2010 7:16 AM
It’s hilarious, but I’m not seeing the ‘fail’ here – nothing bad happened, and if you’re going to allow write-in votes you can’t really have poll workers dropping them on the grounds that they think they’re silly.
Dennis Suitters • October 14, 2010 7:26 AM
At least the Data Entry person was smart enough to filter their input, haha.
Phillip • October 14, 2010 7:41 AM
Babel Fish doesn’t cover Swedish 🙁
Hum Ho • October 14, 2010 7:47 AM
@Phillip:
translate.google.com does a quite a good job.
M.V. • October 14, 2010 7:50 AM
@Ewan
It is not up to a single poll worker to decide which votes are valid, even if they are silly!
Tanuki • October 14, 2010 9:16 AM
How long before we see elections where there’s a list of reserved words for the candidate- and party-namespaces?
brianary • October 14, 2010 9:33 AM
Were it a successful attack, the most interesting thing to watch would be whether news sites would become secondary victims if they published the attack without properly escaping the article text.
Harry • October 14, 2010 9:57 AM
@MikeB: FailBlog or ItMadeMyDay.com?
André • October 14, 2010 10:05 AM
I think, the hackers and/or the vote-typist made an essential fault here by which the attack did not work. That does not mean it would never work at all:
Supposing, that the program these data-files are fed into is just a simple csv-file-upload directly converted into some kind of sql-statement, your injection needs to start with the usually trailing ” (or whatever sign the database uses to mark the end of a field-value) followed by a ; (or whatever the database uses to mark the end of a command) before you could start injecting your code. At least the ” must have got lost somewhere in the process, thereby transforming the sql-statement into a regular field-value.
How the java and links should have worked, i can’t see, but then I don’t know how the election system over there works …
Kalle Anka • October 14, 2010 10:08 AM
Hack Denna Kalle Anka (Hack This Donald Duck)
Do Not Duck • October 14, 2010 10:13 AM
http://www.translation-guide.com/free_online_translators.php?from=English&to=Swedish
Swedish translator online.
lazlo • October 14, 2010 10:32 AM
@André: I believe the javascript and links were there on the (I believe correct) assumption that vote tallys would be available online. If improperly escaped, they could potentially compromise systems that browsed election results.
What would you even call that? Cross-media scripting?
RH • October 14, 2010 10:57 AM
We’ve crossed the paper/computer boundary, all we need is the computer/brain boundary and we can have Snowcrash!
Hum Ho • October 14, 2010 11:21 AM
Knowing Swedish people I think next election this will happen even more frequently:-P
Dagens Nyheter, 2014:
“Vinnaren i valet:
<script type=”text/javascript…
(Dagens Nyheter is a swedish daily paper)
olof • October 14, 2010 11:32 AM
@lazlo: They are just available in excel and tsv formats.
ab • October 14, 2010 11:36 AM
…I think THIS xkcd represents what happens on this forum and others quite often…
Neil in Chicago • October 14, 2010 12:12 PM
Now THAT‘s voting Pirate Party!
GregW • October 14, 2010 2:25 PM
Perhaps it’s paranoid of me, but just because we can see the attacks that failed doesn’t mean we can conclude that all the attacks failed!
(cf why you can’t prove security through pen testing…)
gopi • October 14, 2010 3:01 PM
So, can you try to prosecute somebody for this? Can you try to track them down? Votes are anonymous…but trying to commit election fraud is illegal…I can imagine some lawyers arguing for a long time on that.
gopi • October 14, 2010 4:49 PM
Looks like they typed in a “(” instead of a “<“.
Electronic voting systems will solve this problem. You will never have to worry about your vote for “” being mis-recorded as a vote for “(script src=foo)”.
gopi • October 14, 2010 4:55 PM
Whoops, forgot to escape my HTML!
Also, the “preview” button here is broken in its handling of HTML escaping:
After a preview, the “comments” input field contains the parsed, sanitized output, not my original text.
Thus:
1. Anything between a < and > is dumped.
2. I originally typed < > into the field. After a preview, those have been replaced with < >, so if I post, it posts broken text.
Now, my original comment, hopefully escaped right:
Looks like they typed in a “(” instead of a “<“.
Electronic voting systems will solve this problem. You will never have to worry about your vote for “<script src=foo>” being mis-recorded as a vote for “(script src=foo)”.
ath • October 15, 2010 1:11 AM
@gopi: not necessarily typed. The text was OCRed — and may thus have been tuned to find ‘normal’ text, rather than code.
Jonas Ö • October 15, 2010 6:40 AM
I worked as an election official (a the lowest level) in the 1998 election in Sweden (I’m a Swedish citizen) and I’ve stood for election at the municipal level in all elections since then. All votes in Swedish elections are made by putting a piece of paper, roughly 4×6 inches in size, into a sealed envelope; these envelopes are then opened and counted by hand at each voting location.
Sometimes counting machines (standardized bill counters) are used to verify the manual count.
Most votes are pre-printed with a party name and a number of candidates. These votes are sorted and placed into different stacks according to party name.
Votes that do not have a pre-printed party name on them are inspected by at least two different election officials; if the hand-written party name on the vote is identical to or sufficiently close to the name of a registered party, the vote is transferred to the stack with the corresponding pre-printed votes. Otherwise these “odd” votes are recorded, manually, onto a special piece of paper.
The resulting vote totals are recorded on paper; the count is then signed and counter-signed by election officials on-site. This official count and all votes are then transported to central counting stations for a second round of counts.
This initial round of counting is usually completed some 6-8 hours after closure of the voting station. (In 2010, there were 5668 voting stations; some 6 028 000 votes were recorded in the national level).
In the second round of counting OCR scanners are used, but only for the pre-printed votes – they are used to capture votes for individuals within the registered parties. To my knowledge, hand-written votes are always dealt with manually, and usually they go through several stages of manual interpretation and recording (both pen-and-paper and keyboard-and-screen recording) before they are committed to a database. So an SQL injection attack using this signalling path is a looong shot.
So I strongly doubt that the hand-written party name
pwn DROP TABLE VALJ
(VALJ means “elect” in Swedish) was meant as a serious attempt at disrupting the Swedish elections.
Despite the fact that The Economist reported it as “an attempt to sabotage the Swedish election” or some such nonsense.
The list of all hand-written votes is at
http://www.val.se/val/val2010/handskrivna/handskrivna.xls
gopi • October 15, 2010 3:07 PM
@Jonas Ö:
Interesting. Of course, due to the paper trail, if they realize they’ve been pwned they can add some more input sanitization and re-scan the ballots…
Davi Ottenheimer • October 19, 2010 4:06 PM
Amateurs use SQL injection attacks on ballots.
Professionals change their name to SQL injection attacks and run for office.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Mike B • October 14, 2010 6:51 AM
OMG that is a total Election WIN! Someone needs to get this out to FailBlog pronto.