An anonymous whistleblower tipped off 15min.lt to flaws in The Voter’s Page (rinkejopuslapis.lt), a system financed by the Central Electoral Commission (CEC) that is designed to assist voters during the country’s ongoing parliamentary elections. First round voting was held last week.
The flaws in the site allowed for personal data such as ID numbers, dates of birth and addresses to be retrieved, 15min.lt reporters found. Once users entered their details, the addresses for subsequent forms were generated using a simple pattern. Reporters found that decoding the pattern allowed them to create an account, log in, alter the last few digits of the address, and then the access personal details of other users.
A thief could theoretically automate this process and steal the personal information of every user on the site.
CEC member Jonas Udris immediately shut down The Voter’s Page after learning of the loophole.
"After receiving this information, I have no choice. This is a disaster," Udris told 15min.lt.
The CEC has not said how many people’s data was exposed by the flaw.
The flaw is the second personal data leak in a week involving The Voter’s Page. On Sunday, 15min.lt exposed a smaller loophole, which allowed users to see the personal data of random previous users.
Lithuanian company Tieto Lietuva initially developed The Voter’s Page, but the project was recently handed to another developer, iTree Lietuva.
It has yet to be determined which company is to blame for the loophole.