As the political landscape heats up with the approaching election season, Gallup, a prominent polling company, found itself vulnerable to potential cyber attacks due to two critical cross-site scripting (XSS) vulnerabilities on its website. These vulnerabilities raised concerns about the integrity of polling and research outcomes, especially in the midst of a highly contentious US election cycle that has already seen an uptick in misinformation campaigns targeting voters.
In a recent report by cybersecurity researchers at Checkmarx, it was revealed that they had alerted Gallup’s incident response team about the XSS flaws back in June. The first vulnerability, classified as a reflected XSS bug with a CVSS score of 6.5 out of 10, allowed attackers to execute code on a user’s browser session, enabling them to act on behalf of the user and potentially manipulate survey data. The second vulnerability, a document object model (DOM)-based XSS flaw with a CVSS score of 5.4, presented similar risks of unauthorized access and data manipulation.
“The security of survey platforms is paramount in an age where misinformation and identity theft can have far-reaching consequences, particularly during crucial global election periods,” emphasized the Checkmarx team. “Gallup’s swift response in addressing these vulnerabilities underscores the importance of safeguarding user data and preventing the spread of false information.”
The researchers identified specific weaknesses in Gallup’s system, such as inadequate sanitization of query parameters and insufficient encoding of data, that allowed attackers to inject malicious code and carry out unauthorized actions. By exploiting these vulnerabilities, threat actors could not only compromise user data but also potentially influence survey results and sway public opinion.
To mitigate the risk of such XSS attacks, cybersecurity experts recommend implementing strict data encoding practices and enhancing content security policies to prevent malicious scripts from executing. By fortifying security measures and raising awareness about the dangers of cyber threats, organizations like Gallup can better protect their systems and preserve the integrity of the electoral process.
Erex Yalon, Checkmarx’s vice president of security research, highlighted the importance of securing software systems to defend against malicious exploitation. “With the proliferation of misinformation identified as a key global risk in 2024, it is essential to prioritize cybersecurity measures to safeguard against threats, educate users about potential risks, and uphold the credibility of democratic processes,” he stated.
As the stakes continue to rise in the lead-up to the election, ensuring the security and reliability of polling data remains a critical priority for organizations like Gallup. By addressing vulnerabilities proactively and implementing robust security protocols, they can help uphold the trust and transparency essential to the democratic process.