Critical Security Flaw In iVote System Puts Online Votes At Risk

Critical Security Flaw In iVote System Puts Online Votes At Risk

E-voting vendor Scytl and the NSW Electoral Commission have introduced a new way to vote via internet (iVote) for this month's state elections. 

Security researchers have identified a critical vulnerability in the iVote system that allows attackers to read and manipulate votes. Researchers alerted the the NSW Electoral Commission on Friday and they fixed the issue by modifying system codes.


Vanessa Teague, who found the security vulnerability, said, "The iVote voting website is served over HTTPS", but the site "included additional JavaScript from an external server ivote.piwikpro.com" that has very poor security and "it is vulnerable to a range of SSL attacks, including the recently discovered FREAK attack."

"We confirmed that a man-in-the-middle attacker could exploit the FREAK attack to manipulate the voter’s connection to ivote.piwikpro.com and inject malicious JavaScript into the iVote site. This code could arbitrarily change how the site operates without triggering any browser security warnings."

"FREAK affects major desktop and mobile browsers, including Internet Explorer, Chrome, and Safari, and while the browser makers have released fixes over the last two weeks, many users haven’t updated yet," Teague added.

They also built a proof of concept that illustrates how this problem could be used by an attacker to steal votes -- If a voter uses iVote from a malicious network, the malicious network injects code that stealthily substitutes a different vote of the attacker’s choosing. They also demonstrate how the attacker can steal the voter’s secret PIN and receipt number and send them, together with the voter’s secret ballot choices, to a remote monitoring server.

No comments

Powered by Blogger.