Thousands of NSW state election votes submitted to iVote may have been affected by a server vulnerability according to two security researchers who discovered the issue.
University of Melbourne Department of Computing and Information Systems research fellow, Vanessa Teague, and Michigan Centre for Computer Security and Society director ,J.Alex Halderman, posted a blog with their findings on March 22.
“The iVote voting website, cvs.ivote.nsw.gov.au, is served over HTTPS. While this server appears to use a safe SSL configuration, the site included additional JavaScript from an external server,” wrote the researchers.
“The ivote.piwikpro.com server has very poor security. It is vulnerable to a range of SSL attacks, including the recently discovered FREAK attack.”
According to the researchers, a man-in-the-middle attack could exploit the FREAK attack to manipulate the voter’s connection to the iVote server and inject malicious JavaScript into the iVote site.
Teague and Halderman reported the vulnerability to CERT Australia last Friday. The NSW Electoral Commission updated iVote to disable the code.
“Unfortunately, the system had already been operating insecurely for almost a week, exposing tens of thousands of votes to potential manipulation,” said the blog.
Teague and Halderman also pointed out that while the vote submission website now uses SSL safely, the main gateway to it is still running HTTP.
“This means that even with the FREAK vulnerability repaired, an attacker can still target voters before they reach the secure server using the classic SSL strip attack.”
According to the researchers, iVote has received more than 66,000 votes.
In response, NSW Electoral Commission CIO Ian Brightwell said the injection would have only worked in an environment where both the server and the browser were not patched.
“We have disconnected the server. The risk was very low,” he said.
“We have always accepted that there is going to be a risk that the voter’s vote could be corrupted in the browser, that’s why we have the verification server.”
If people have any concerns about their vote, they can verify that their vote has been recorded by phoning 1300 138 739.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia