A Florida cybersecurity researcher has been arrested after he allegedly found security vulnerabilities in a local elections website that left usernames and passwords at risk and failed to report the flaws ethically. David Levin, who is the chief technology officer of pen-testing firm Vanguard Cybersecurity, was testing the Lee County elections website for SQL injection vulnerabilities in December. He was reportedly using Havij, a free SQL testing software. Levin claimed that the website was largely unencrypted and he could, if he wished, have stolen personal data that it had stored, including usernames and passwords, according to reports. Levin went on to publish a video online in January with local politician Dan Sinclair, who will be running for supervisor of elections in the county, where they revealed the vulnerabilities. Police subsequently issued a warrant for his arrest on three counts of third-degree felony property crimes. He turned himself in and was later released on $15,000 bail.
The point of contention in Levin’s work is not that he found vulnerabilities but rather that he was able to harvest this at-risk data using a third-party tool. He then used some of this data to log in to the website as part of his testing, according to reports. Secondly, he only notified the election authorities after the video was published.
Troy Hunt, another security researcher, wrote that the lack of security put in place by Lee County was “egregious” but Levin should have stopped when he realized what he had discovered and immediately contacted the authorities.