Gallup.com Bugs Open Door to Election Misinformation

Source: Kristoffer Tripplaar via Alamy Stock Photo

UPDATE

As election season started to simmer over the summer, the Gallup polling company rushed to patch against a pair of cross-site scripting (XSS) vulnerabilities in the company’s website that left it vulnerable to malicious actors.

Both flaws presented the opportunity for adversaries to perform actions on behalf of users.

These weaknesses are particularly concerning heading into a US election season that is already being widely targeted by misinformation. Just this week, for instance, the US Department of Justice accused Russia of a $10 million disinformation campaign that sought to barrage social media with enough bad information to sway the presidential election in November.

Cybersecurity researchers with Checkmarx explained in a report on Sept. 9 that they first contacted the incident response team at Gallup on June 23 to report the XSS flaws — the first a reflected XSS bug with a CVSS score of 6.5 out of 10, and the second a document object model (DOM)-based XSS vulnerability with a CVSS score of 5.4.

Cross-scripting flaws allow an attacker to use the URL address bar to insert unauthorized script into a page. For this attack, a target would be sent a malicious URL that looks exactly like a Gallup.com page. Once the victim clicks on the link, they are taken to a page indiscernible from the real thing֫—except in this instance the attacker controls the content displayed.

While these flaws do not impact any of Gallup’s internal data or polling, the bugs could be used by bad actors to spoof convincing looking Gallup.com site pages with misleading information. At scale, a convincing Gallup-branded page could be used spread misinformation to millions of people at once. Of particular concern to the Checkmarx team is that with a trusted name like Gallup behind the bad information, the campaign could appear incredibly convincing—a particularly dangerous risk during election season.

“In an era where misinformation and identity theft pose significant threats, the security of survey platforms is crucial, particularly during pivotal global election cycles,” the Checkmarx team wrote. “Gallup, the leading survey company, quickly addressed security vulnerabilities that could be exploited to facilitate the dissemination of false information and compromise the personal data of users.”

Gallup’s Cross-Site Scripting Vulnerabilities

In the case of the first reflected XSS flaw, the researchers found that “the /kiosk.gx endpoint does not properly sanitize or encode the query string ALIAS parameter value before including it on the page.”

Exploitation of the vulnerability could allow malicious actors to execute code in the targeted user’s navigation session to perform various actions on their behalf, the researchers added.

“It’s important to note that this endpoint is commonly used to access Gallup surveys, which may make users more susceptible to exploitation,” the Checkmarx team wrote. “This could lead to unauthorized access to personally identifiable information (PII), manipulation of user preferences, and other detrimental actions.”

In the second flaw, the endpoint once again failed to protect query parameter values before adding them to the page, giving a malicious actor another opportunity to perform tasks disguised as the target users and even take over the account altogether.

To avoid similar XSS flaws, the researchers at Checkmarx suggest that cybersecurity teams ensure their data is properly encoded before sending it to the response markup (HTML) or page DOM. Further, they recommend tweaking the content security policy to block locations where the browser can fetch or execute scripts.

“The prevalence of misinformation was identified as the top global risk in 2024 by the World Economic Forum’s 'Global Risks Report 2024,’” Checkmarx vice president of security research Erex Yalon says. "[It’s important to] secure software that is prone to exploits of malicious actors, educate and close the knowledge gap, and hopefully safeguard the integrity of the election process."

This post was updated at 11:30AM ET on Sept. 11, 2024, to reflect that the bugs affected the website, not the Gallup Poll itself.

Another update was made at 4:53PM ET on Sept. 11, 2024 to clarify that neither vulnerability could have allowed attacker access to Gallup.com infrastructure and did not put internal data at risk of compromise.