A cybersecurity researcher who exposed vulnerabilities in a Florida elections website was last week arrested and charged on three third-degree felony counts.
Vanguard Cybersecurity boss David Levin handed himself in on Wednesday and spent five hours in the Lee County Jail cells before being released on a $15,000 bond, according to local reports.
He had posted a YouTube video detailing his research, which found simple SQL injection flaws in the website of the Lee County Supervisor of Elections Office, using the popular Havij automated SQLi tool.
Dan Sinclair, one of the candidates currently running for the supervisor of elections position, appears alongside Levin in the video, although he was not involved in the research itself.
"Dave didn't do anything wrong," he’s quoted as saying. "This is political corruption."
However, Troy Hunt, security researcher and owner of the Have I Been Pwned? site, argued that Levin was in the wrong as he could have demonstrated security weaknesses in the site without exposing personal data.
“Dave obviously found a serious risk but rather than just stopping there and reporting it, he pointed a tool at it that sucked out a volume of data,” he explained in a blog post. “That data included credentials stored in plain text (another massive oversight on their behalf) which he then used to log onto the website and browse around private resources (or at least resources which were meant to be private).”
He urged researchers to “stop early” and “report ethically” to avoid any similar legal repercussions in the future.
Levin himself seems to agree, posting the following tweet today:
“@troyhunt is right, and I let hubris get the best of me. From now on I'm asking myself, ‘What Would Troy Do?’ #WWTD”
He has been charged with three counts of unlawful access of a computer system after the incident in early January.