In Sweden's recent election, a small collection of crafty programmers appear to have attempted to hack the voting database with a pen-and-paper attack.
While most people use pre-printed ballot papers to vote with, the country's election law dictates that you're allowed to write your vote out by hand, and one person appears to have attempted to take advantage of this, to use an SQL injection to destroy the database.
The election was very close, and so the election authority has published all the pen-and-paper votes online, anonymised, for full transparency. Scanning through them, blogger Jonas Elfström noticed the following line: ";13;Hallands län;80;Halmstad;01;Halmstads västra valkrets;0904;Söndrum 4;pwn DROP TABLE VALJ;1".
The DROP TABLE command in an SQL database deletes the entire table of votes when it's put in, meaning that had the electoral commission not been careful, it could have wiped all the election data. This has become known as a "Little Bobby Tables attack", after webcomic XKCD brought it to greater attention. It requires you to know, or succesfully guess, the name of the database, however, which may have been why it failed.
Others tried to get Javascript into the listing, with one person voting for: "R;14;Västra Götalands län;80;Göteborg;03;Göteborg, Centrum;0722;Centrum, Övre Johanneberg;(Script src=http://hittepa.webs.com/x.txt);1". There were a few links to online shops and other websites too. Those were all foiled, however, because the list of votes was published in plain text, rather than HTML.
Let this be a lesson to all you coders out there. Sanitise your database inputs.
Thanks to Karolina and Andy for assistance with this story.
This article was originally published by WIRED UK
