Thousands of NSW state election votes submitted to iVote may have been affected by a server vulnerability according to two security researchers who discovered the issue. University of Melbourne Department of Computing and Information Systems research fellow, Vanessa Teague, and Michigan Centre for Computer Security and Society director ,J.Alex Halderman, posted a blog with their findings on March 22. “The iVote voting website, cvs.ivote.nsw.gov.au, is served over HTTPS. While this server appears to use a safe SSL configuration, the site included additional JavaScript from an external server,” wrote the researchers.
“The ivote.piwikpro.com server has very poor security. It is vulnerable to a range of SSL attacks, including the recently discovered FREAK attack.”
According to the researchers, a man-in-the-middle attack could exploit the FREAK attack to manipulate the voter’s connection to the iVote server and inject malicious JavaScript into the iVote site.
Full Article: NSW iVote security flaw may have affected thousands of votes: Researchers – Computerworld.