Pen-and-Paper SQL Injection Attack Against Swedish Election

Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time.

Three news links, in Swedish.

Posted on October 14, 2010 at 6:35 AM • 27 Comments

Comments

Mike BOctober 14, 2010 6:51 AM

OMG that is a total Election WIN! Someone needs to get this out to FailBlog pronto.

ewanOctober 14, 2010 7:16 AM

It's hilarious, but I'm not seeing the 'fail' here - nothing bad happened, and if you're going to allow write-in votes you can't really have poll workers dropping them on the grounds that they think they're silly.

Hum HoOctober 14, 2010 7:47 AM

@Phillip:
Babel Fish doesn't cover Swedish :(
---

translate.google.com does a quite a good job.

M.V.October 14, 2010 7:50 AM

@Ewan

It is not up to a single poll worker to decide which votes are valid, even if they are silly!

TanukiOctober 14, 2010 9:16 AM

How long before we see elections where there's a list of reserved words for the candidate- and party-namespaces?

brianaryOctober 14, 2010 9:33 AM

Were it a successful attack, the most interesting thing to watch would be whether news sites would become secondary victims if they published the attack without properly escaping the article text.

AndréOctober 14, 2010 10:05 AM

I think, the hackers and/or the vote-typist made an essential fault here by which the attack did not work. That does not mean it would never work at all:
Supposing, that the program these data-files are fed into is just a simple csv-file-upload directly converted into some kind of sql-statement, your injection needs to start with the usually trailing " (or whatever sign the database uses to mark the end of a field-value) followed by a ; (or whatever the database uses to mark the end of a command) before you could start injecting your code. At least the " must have got lost somewhere in the process, thereby transforming the sql-statement into a regular field-value.

How the java and links should have worked, i can't see, but then I don't know how the election system over there works ...

lazloOctober 14, 2010 10:32 AM

@André: I believe the javascript and links were there on the (I believe correct) assumption that vote tallys would be available online. If improperly escaped, they could potentially compromise systems that browsed election results.

What would you even call that? Cross-media scripting?

RHOctober 14, 2010 10:57 AM

We've crossed the paper/computer boundary, all we need is the computer/brain boundary and we can have Snowcrash!

Hum HoOctober 14, 2010 11:21 AM

Knowing Swedish people I think next election this will happen even more frequently:-P

Dagens Nyheter, 2014:
"Vinnaren i valet:

(Dagens Nyheter is a swedish daily paper)

GregWOctober 14, 2010 2:25 PM

Perhaps it's paranoid of me, but just because we can see the attacks that failed doesn't mean we can conclude that all the attacks failed!

(cf why you can't prove security through pen testing...)

gopiOctober 14, 2010 3:01 PM

So, can you try to prosecute somebody for this? Can you try to track them down? Votes are anonymous...but trying to commit election fraud is illegal...I can imagine some lawyers arguing for a long time on that.

gopiOctober 14, 2010 4:49 PM

Looks like they typed in a "(" instead of a "

Electronic voting systems will solve this problem. You will never have to worry about your vote for "" being mis-recorded as a vote for "(script src=foo)".

gopiOctober 14, 2010 4:55 PM

Whoops, forgot to escape my HTML!

Also, the "preview" button here is broken in its handling of HTML escaping:

After a preview, the "comments" input field contains the *parsed*, *sanitized* output, not my original text.

Thus:
1. Anything between a < and > is dumped.
2. I originally typed &lt; &gt; into the field. After a preview, those have been replaced with < >, so if I post, it posts broken text.

Now, my original comment, hopefully escaped right:

Looks like they typed in a "(" instead of a "<".

Electronic voting systems will solve this problem. You will never have to worry about your vote for "<script src=foo>" being mis-recorded as a vote for "(script src=foo)".

athOctober 15, 2010 1:11 AM

@gopi: not necessarily typed. The text was OCRed -- and may thus have been tuned to find 'normal' text, rather than code.

Jonas ÖOctober 15, 2010 6:40 AM

I worked as an election official (a the lowest level) in the 1998 election in Sweden (I'm a Swedish citizen) and I've stood for election at the municipal level in all elections since then. All votes in Swedish elections are made by putting a piece of paper, roughly 4x6 inches in size, into a sealed envelope; these envelopes are then opened and counted by hand at each voting location.
Sometimes counting machines (standardized bill counters) are used to verify the manual count.

Most votes are pre-printed with a party name and a number of candidates. These votes are sorted and placed into different stacks according to party name.
Votes that do not have a pre-printed party name on them are inspected by at least two different election officials; if the hand-written party name on the vote is identical to or sufficiently close to the name of a registered party, the vote is transferred to the stack with the corresponding pre-printed votes. Otherwise these "odd" votes are recorded, manually, onto a special piece of paper.

The resulting vote totals are recorded on paper; the count is then signed and counter-signed by election officials on-site. This official count and all votes are then transported to central counting stations for a second round of counts.

This initial round of counting is usually completed some 6-8 hours after closure of the voting station. (In 2010, there were 5668 voting stations; some 6 028 000 votes were recorded in the national level).

In the second round of counting OCR scanners are used, but only for the pre-printed votes - they are used to capture votes for individuals within the registered parties. To my knowledge, hand-written votes are always dealt with manually, and usually they go through several stages of manual interpretation and recording (both pen-and-paper and keyboard-and-screen recording) before they are committed to a database. So an SQL injection attack using this signalling path is a looong shot.

So I strongly doubt that the hand-written party name
pwn DROP TABLE VALJ
(VALJ means "elect" in Swedish) was meant as a serious attempt at disrupting the Swedish elections.
Despite the fact that The Economist reported it as "an attempt to sabotage the Swedish election" or some such nonsense.

The list of all hand-written votes is at
http://www.val.se/val/val2010/handskrivna/...

gopiOctober 15, 2010 3:07 PM

@Jonas Ö:

Interesting. Of course, due to the paper trail, if they realize they've been pwned they can add some more input sanitization and re-scan the ballots...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..