Hacker Arrested after Exposing Flaws in Elections Site

A security researcher disclosed vulnerabilities in the poorly secured web domains of a Florida county elections, but he ended up in handcuffs on criminal hacking charges and jailed for six hours Wednesday.

Security researcher David Michael Levin was arrested and charged by the United States law enforcement after breaking into and disclosing some serious vulnerabilities in a couple of elections websites in Florida.

Levin, 31, of Estero, Florida was charged with three counts of gaining unauthorized access to a computer, network, or electronic instrument.

He spent six hours in jail last Wednesday before being released on a $15,000 bond, the Florida Department of Law Enforcement officials said.

According to Florida Police, Levin illegally accessed the Lee County website on 19 December last year using the stolen credentials.

This event was then followed by two other, on Jan. 4 and Jan. 31, 2016, when Levin hacked into the Department's State Elections website as well.

A YouTube video publically posted by Levin in late January showed him entering the username and password of Sharon Harrington, the county's Supervisor of Elections, to gain control of a content management system (CMS) used to control the official website of Florida's Office of Elections.

Video Demonstration of the Elections Website Hack

Levin recorded the video together with Dan Sinclair (a candidate running against Harrington for the post), detailing how a simple SQL injection launched against the election website led to the theft of data from the Elections' database that had no encryption at all.

Levin was reportedly using a free SQL testing software called Havij for testing SQL vulnerabilities on the state elections website.

Almost two weeks after the video was posted on YouTube, Florida police raided Levin's house and seized his computers.

Florida Police said that Levin never asked for permission prior to performing his penetration testing on any state-owned server and that he was gone public with his demonstration.

"He took usernames and passwords from the Lee County website and gained further access to areas that were password-protected," FDLE Special Agent Larry Long told the Herald Times. "The state statute is pretty clear. You need to have authorization before you can do that."

Levin was briefly held on $15,000 bond and released Wednesday afternoon.

While some researchers have sided with Levin for disclosing security holes in the election website that could put millions of voters' personal information at risk, renowned Australian researcher Troy Hunt said Levin should have stopped and immediately contacted the authorities after realizing what he had discovered.

Although it is common for researchers to hunt for security bugs in state-owned servers and websites, the bug should be reported responsibly to the respective authority before going public.

^ed