Researcher Arrested After Finding and Reporting SQL Injection on Elections Site

Posted on

Security expert might have gone overboard with his research. David Levin, 31, of Estero, Florida, has turned himself in after Florida police issued a warrant for his arrest last week. Police indicted Levin on three hacking-related charges, and Levin spent six hours in jail last Wednesday before being released on a $15,000 bond.

Police say Levin had illegally accessed state websites on three occasions. The first took place on December 19, 2015 when Levin illegally accessed the Lee County Elections website.

This incident was then followed by two other, on January 4 and 31, 2016, when Levin also hacked into the Department the State Elections website as well.

Levin never asked for permission to perform his tests

While it is common for infosec professionals to search for security flaws in state-owned infrastructure, authorities say they charged Levin because he never asked for permission prior to starting his endeavor.

Levin, who’s the owner of his own company called Vanguard Cybersecurity, has also recorded a video together with Dan Sinclair, detailing how he hacked into the vulnerable website using a simple SQL injection bug.

Dan Sinclair is a candidate running for the position of Supervisor of Elections for Florida’s Lee County. In the eyes of current Supervisor of Elections Sharon Harrington, this all seemed like a media stunt, and later filed a complaint against Levin.

The video was posted on YouTube on January 25, and Florida police raided Levin’s house on February 8 and seized his computers.

Levin was not satisfied with finding the SQL flaw

Now authorities are claiming that Levin never asked permission to perform penetration testing on any of the state-owned servers and that he had gone overboard with his demonstration.

They say that Levin “obtained several usernames and passwords of employees in the elections office” and that he “went a step further and used the Lee County supervisor’s username and password to gain access to other password protected areas.”

While judges may show lenience to security researchers that discover security issues and then properly report them (as Levin also did), they might not take it to heart when the researcher uses some of the data he finds on the hacked server to escalate his access.

This incident is an exact copy of the Wesley Wineberg – Facebook incident. Back in December, Wineberg managed to hack Facebook’s servers and gain access to the Instagram admin panel.

Facebook declined to pay him a bug bounty because they discovered that Wineberg had downloaded data from their servers in order to escalate his access for a bigger reward.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s