Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] 4chan reveals online voter exploit that can be used to cancel ballots? (twitter.com/whjtehovse)
69 points by michannne 13 days ago | hide | past | favorite | 70 comments

Actually no, this isn't voting. It's a sample digital ballot that you have to print out and return in person. I'm honestly surprised this amount of disinformation made it to the HN front page.

Here's the form they think is real: http://oregonvotes.org/pages/ballots/11032020/Washington/34_...

I'm not willing to test it myself, but maybe the worst of this is that it seems to allow anyone to look up any Oregon voter's registered mail address if you have their birthday, meaning most famous/public figures in Oregon are at some risk it would seem.

Yes, this is true. However, it is public information and the site has a disclaimer indicating this. There is an alternate route to register to vote if your information is confidential. It’s trivial to learn this information in other ways as well. It’s somewhat notable how easy it was for me to look up a prominent politicians registration info, but that is simply not news. This post was flagged appropriately.

This in itself isn’t unusual. Or at least Kentucky’s voter registration tool is the same way.

The tweet does imply voting, but cancelling is possible, this is just the most visible tweet as of right now

Ive updated the title to reflect this

The tweet does far more than imply.

Why are you posting 4Chan garbage to HackerNews? Is this even confirmed?

If you head to the website and put your name and DOB, the cancellation of your ballot after requesting a replacement is mentioned at the bottom of the page

I'll add that anyone can request a replacement, and the cancellation is effective immediately

Can you actually cancel a ballot through the online portal or not?

In Oregon you cannot cancel a ballot through the online portal, or at all

If I had to pit 4chan against HN in a scavenger hunt, I would bet on 4chan.

edit: in fact I think this happened. wasnt there an online quiz we lost at a couple years ago?

Where on the my vote portal does it let you cancel? Ballots have already been mailed anyways so it's a bit late for anyone to try to change anyones status.

When requesting a replacement. I have hidden the thread until the story is confirmed by a reputable news org

In Oregon there’s not a way to request a replacement ballot. I am looking at the form right now and there is no way to either cancel or request a replacement ballot online.

To request a replacement ballot you have to fill out a form and send it to your county clerk, and the form asks you for a lot more info than your DOB.

As far as cancelling your vote, when has that EVER been an option and what purpose would it serve?

It wasn't an option, but it happens when you print out the new online ballot. The website has a caution notice about it when you go to print "Caution: If you continue, a ballot previously mailed to you will be canceled"

That's not a feature. You can't even cancel your registration without contacting the county directly. But keep spreading misinformation.

"But keep spreading misinformation"

I've nothing to gain spreading misinformation. As I've said I've hidden the thread until a reputable news org is able to report on this.

You prefer a third party text that has been through censorship to the direct source?

I don’t understand. Why would these states allow you to invalidate a ballot online? What’s the legitimate use case for that feature?

They don't have a "cancel ballot" button. When you fill out and print the new online ballot it will cancel any previously sent ballots. They site says "Caution: If you continue, a ballot previously mailed to you will be canceled"

They don't.

Wow. This post was dangerous disinformation. I have independently confirmed this is false and ballots cannot be canceled or changed.

It is indeed possible to see addresses where ballots were mailed, and I was able to view a politician’s information using only their name and date of birth gleaned from Wikipedia.

I’m sure this information can be found in any number of ways, however. There is also a disclaimer stating “ If your information is confidential or you are not yet 18 years old, contact your county elections official to confirm your registration status.” which indicates using that site to register has no implication of privacy.

It fits the reactionary narrative so I'm not sure why it's surprising.

it shouldn't fit your narrative either. you believe in free and accurate elections right?

I live in Chicago. I find it absolutely absurd that people don't think politicians steal votes.

I don't see why politicians would bother to create a poorly-designed public-facing website to steal an election.

are you asking why politicians would bother to steal an election?


I think you should respond with a logical point rather than insulting me

why would they do it in a way that's easy for other politicians to use

fraud is never an easy tool. it's used when you can get away with it. why is it literally known as the cook county democratic machine without backlash?

you're also assuming its easy for other politicians to use. as if counting votes is just the web app...


please be specific. this isn't a place for twitter comments. what have I said that you think is delusional?

4chan was able to print Portland's Mayor Ted Wheeler ballot and change his vote to Trump. Go and look it up on the site.

It's trivial to demonstrate that that claim is false.

Someone in this thread linked the page to the "voting" screen. It's just a form to print a new ballot that you would then mail or bring in person.

You're right. 1) This only changes a form you can print out, sign and mail in or drop off (they're not checking accuracy of signatures this year) 2) This does reveal lots of PII 3) 4CHAN is now using obituaries to search for dead people who have voted

you can't just drop it off, you have to return it in a certified ballot envelope that has all of your information on it and one-time codes to avoid forgeries.

who cares if they're looking at obits, great, that's fine, every political party has lawyers to do that and they're better at it anyway.

>This site allows you to mark, review, and print your ballot materials for return to your county elections office.

Their FAQ makes no mention of placing it in a ballot envelope. In fact they offer the ability to print your own from the website. Where are you getting that information?

It appears one can type in a name and dob, print a ballot, fill it out, and drop it off. What am I missing that is also not in their FAQ?


   Step 4: Return your Ballot

   After printing your marked ballot summary:  
   Enclose your ballot in the secrecy envelope.  
   Then place that envelope in the return identification envelope.
   Sign the ballot declaration and the return identification envelope
Is your theory simply that nobody in the Oregon Secretary of State's office thought people might try to cheat?

If that's the case why are they offering users the ability to print it out and return it if doing so requires a unique one time ballot envelope?

Visually impaired voters who can use a screen reader but may have trouble with the paper ballot. Voters with motor issues that make it difficult to fill in a bubble with a pen.

Here are the instructions for using the alternate ballot: https://sos.oregon.gov/voting/Pages/instructions-disabilitie...

The tweet is wrong yes, but my main point was the fact that requesting a replacement ballot invalidates the previous sent ballot.

It does not. Also, you can’t even update registration info without an Oregon DMV number. At that point you’re straight up committing identity theft. Even if you could it does not invalidate an already submitted ballot. This is not correct information you are spreading.

Does it?

I'll clarify: using name and DOB allows you to see voter information. This is relatively benign as it is public information. However the site also has the option to request a replacement ballot. When requesting a replacement, the website mentions that if a previous mail-in ballot has not yet been successfully validated, it will be cancelled.

My aim is not to spread disinformation here. I have hidden the thread until a reputable source can confirm further as there may be other details I'm missing. This is not about changing votes, but the replacement of a ballot that can be initiated using very little information, and can cause a person's mail-in ballot to be invalidated.

> However the site also has the option to request a replacement ballot.

In Oregon, there is no such option.

Here is the specific page that people are somewhat concerned about. I'm a WA voter, but it seems like they use a similar system to OR. When I go to https://voter.votewa.gov/ and enter my first/last name and DOB, I can go to "My Ballot -> Online Ballot" and it gives the following text:

>To print a ballot packet, only click "Continue" if you did not receive your ballot by mail or your ballot is lost or damaged. Continue only if you intend to vote this ballot.

>Print both 1) Replacement Ballot and 2) Ballot Return Packet.

>To view what's on your ballot, select the voters' guide in the navigation menu.

>Frequently asked questions

>This site allows you to mark, review, and print your ballot materials for return to your county elections office.

>Can I just view my online ballot and then vote the paper ballot coming to me in the mail? >No, the online ballot should only be used if you want to print, vote and return it. Click on Voters' Guide in the >left navigation to see what will be on your ballot and to learn more about the candidates and measures. >I lost my paper ballot, can I print and return this online ballot? >Yes, the online ballot is a great replacement ballot option. When printing make sure to print both the 1) replacement ballot and 2) the ballot packet. Follow the ballot packet instructions and make sure you return your ballot on time – the earlier the better! >Caution: If you continue, a ballot previously mailed to you will be cancelled.

It is specifically this phrase Caution: If you continue, a ballot previously mailed to you will be cancelled. that is concerning. It makes one think that if I press the [Continue] button on that page, then the ballot that has already been mailed to me will be automatically canceled. Can you confirm that that is not the case, and if so what is your evidence?

Oregon aside. This seems really concerning. Can someone explain to me this isn’t really the case?

I don’t believe anyone anymore (only like 1/2 hyperbole).

well, I'm only able to speak for Oregon, so I will update my post.

I don't know what will happen if you click through. You could try it I guess, apparently 4chan has already cancelled everyone's vote anyway.

I would like to add that so far, the information suggests that anyone in Washington (known to use a similar system) receiving a mail-in ballot can have their mail-in ballot cancelled by a stranger on the internet before it arrives.

I will update the link and title as additional information comes in.

EDIT: California requires SSN, so it is not as susceptible

EDIT: Oregon requires further steps, is not susceptible, there has not been any confirmation on Washington and I cannot test that myself

Apparently an uzbekistani anonymous user wrote a script to automate cancelling votes after the exploit was discovered.


Non ephemeral link: https://web.archive.org/web/20201018061012/https://i.4cdn.or...

This is straight up FUD.

Yes, you can change a printable ballot form that you then have to PRINT OUT AND RETURN before it is counted. This is no more an "exploit" than a printing a blank ballot, filling it in, and sending it in under someone else's name, or showing up at a polling place and voting as someone else.

It's also fraud and a felony for anyone who does it...

Not just return it: Return it in a certified, signed ballot envelope that was mailed to a registered voter

Whew, well, that’s good.

So the posts about how in Washington they cancel the original ballot when you go through the print process for a new one are not correct?

That seemed like too obvious a flaw!

The parent commentor is being strangely dismissive and they are 100% wrong. In washington merely printing out a new ballot will immediately cancel the old one. It says it on the damn website.

I can't speak for Oregon, but this is not FUD. I can't imagine any good intentions from someone being so disinterested in the possibility of fraud.

That seems impossibly wrong! Such a glaring flaw in the system should be big news.

Has anyone but 4chan written about this? I wasn’t able to find anything.

> It's also fraud and a felony for anyone who does it...

Because that stops people who are planning to tamper an election in the first place?

This post should be removed, it's spreading highly misleading information about an ongoing election.

Can someone verify this? It’s huge if true, but I thought voting was anonymous so how can someone see a vote via an online platform?

Edit: Please remember there’s a lot of disinformation going around about voting in general, be extra skeptical before sharing this further because it’ll just cause more unrest about the election.

Yeah, I shouldn't have jumped on the tweet, but I was able to verify on the website itself that it does notify that an existing ballot would be canceled when requesting a replacement.

I've no intention of creating undue panic.

I've hidden the thread and will delete it tomorrow likely.

It’s easily done, I’ve fallen for something myself recently and started sharing it around, it is pretty tiring to be constantly alert to (probably) fake stories!

This article shouldn’t have been flagged. Here’s a link to the Oregon authentication page for updating voter registration:


Others from Oregon confirm what this page implies: you just need name and DOB to mess up a voter’s registration.

In California, to change someone’s voter registration, you also need the last four digits of their SSN and their drivers license number.

You can’t change anything on the Oregon page with only a name and DOB. You need a drivers license/ID number and that’s just to request a postcard that you have to sign and return. Please stop spreading misinformation.

It took me five minutes to verify this information about Oregon is not factual. You can see someone’s address with name and date of birth, but the site makes it clear if you register with this system that info will not be confidential. You cannot register or change address without an Oregon DMV number. I have not verified additional states. EDIT: To clarify, I only mention registration and change of address because these are the only features I can find that resemble the report in any way. There is no way to request a replacement. You can very very easily test this yourself.

This is not about registration, it is the replacement feature that can cause a ballot that has not yet been successfully validated to be invalidated.

> the replacement feature

does not exist (in Oregon at least)

You obviously didn't even open the link. This isn't an "article." It's a twitter thread of screenshots from 4chan.

Why would this cancel the vote?

It won't. This is blatant misinformation.

Depends on the state that uses this system on if it does do this. I assume to prevent people from sending in 2 ballots with the same name.

They wouldn't listen


The robots.txt file of Oregon.gov is somewhat suspicious. There seem to be lots of hidden executable files as well as pages with GET queries.

Because of the amount, I would guess some of the executable files lead to web shells. I am less sure of, but still somewhat confident, that the open GET queries might be pages where someone has discovered a SQL injection flaw.

They are likely trying to prevent these pages from appearing on Google where a regular user might notice. Will try to look shortly on desktop and update further.

[1] - https://www.oregon.gov/robots.txt

Honestly, it seems far more likely to me that some "SEO Expert" came through at some point and said they should optimize their searchability by making sure search-engines didn't index certain pages.

Seems far more likely than that there's anything actually bad going on here.

Also, jumping from "Huh, lots of robots.txt entries" to "SQL injection flaw" doesn't make sense to me. I don't see how those things are related.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact