Ensuring that the next elections are free and fair is crucial to the return of democracy and stability in Macedonia. A young female blogger contributed to this process by discovering a flaw related to the government’s voters’ registry web app. One of the reforms needed to end the current political crisis in Macedonia, as stipulated within an agreement that was overseen by the European Union and the United States, is the restoration of the State Election Commission (SEC) to good and honest working order. It also requires a “clean-up” of the voters’ registry, ensuring that only people with the right to vote can do so. The first official investigation that the Special Public Prosecutor has launched as part of this effort is looking into the creation of “phantom voters,” as well as votes in the name of dead or absent citizens.
The web application that enables citizens to check if they are in the voters’ registry has been active for years. The SEC is supposed to clean up the database behind it, but as software developer Kalina Zografska found out, that would have only solved part of the problem.
On the morning of February 10, Zografska published a blog post titled “Would you like to have a copy of the voters’ registry? Click here!” reporting that she had discovered a flaw that “leaves the voters’ registry free for the taking, including sensitive personal data of all citizens, such as the Unique Master Citizen Numbers, names, area of residence” on the official government body’s website.
In the blog post, Zografska explained that the application utilizes a very simple URL to trigger the display of citizens’ data, using the Unique Master Citizen Number as input. In all former Yugoslav countries, this ID number has a fixed, predictable format, consisting of the date of birth and other basic elements. Therefore, a simple script can target the application with requests using changed parameters and extract data on all citizens.