The analytics service used by the New South Wales electronic voting system, iVote, left voters vulnerable to having their ballots changed, according to security researchers. The iVote system was originally implemented ahead of the 2011 state election for vision-impaired voters and those living in rural areas who have difficulty reaching polling places, but the government is expanding the use of the iVote system as part of the election on March 28, and has taken approximately 66,000 votes since early polling opened last week. Researchers Vanessa Teague from the Department of Computing and Information Systems at the University of Melbourne, and J Alex Halderman from the University of Michigan Centre for Computer Security, found that while the voting website uses a safe SSL configuration, it includes JavaScript from an external server that is used to track site visitors. This, they said, would leave the iVote site open to a range of attacks, including FREAK.
Apple and Google were forced to patch their own browsers after it was found that the FREAK flaw could force browsers to use a weaker encryption cipher, leaving it vulnerable to man-in-the-middle attacks that can intercept and manipulate traffic. The researchers discovered that the FREAK attack could be used to change how a person votes using iVote, without the voter ever being aware.
The flaw was notified to CERT Australia on Friday, and the researchers said that iVote disabled the analytics code on Saturday. However, given that the polls have been open since March 16, many voters could have had their vote compromised.
Up until polling day, voters can log in and change their vote on the iVote system. The researchers stated that given the main gateway to the iVote site runs plain HTTP, it is still vulnerable to the ssl_strip attack.
Full Article: NSW Electoral Commission scrambles to patch iVote flaw | ZDNet.