The Bug that made me Pre­si­dent: A Brow­ser- and Web-Se­cu­ri­ty Case Study on He­li­os Vo­ting

Mario Hei­de­rich, Til­man Frosch, Mar­cus Nie­mietz, Jörg Schwenk

In­ter­na­tio­nal Con­fe­rence on E-vo­ting and Iden­ti­ty (Vo­teID), 2011, Tal­linn, Es­to­nia, Sep­tem­ber 2011

Ab­stract

This paper brief­ly de­scri­bes se­cu­ri­ty chal­len­ges for cri­ti­cal web ap­p­li­ca­ti­ons such as the He­li­os Vo­ting sys­tem. After ana­ly­zing the He­li­os de­mons­tra­ti­on web­site we dis­co­ver­ed se­ver­al small flaws that can have a large se­cu­ri­ty cri­ti­cal im­pact. An at­ta­cker is able to extract sen­si­ti­ve in­for­ma­ti­on, ma­ni­pu­la­te vo­ting re­sults, and mo­di­fy the dis­play­ed in­for­ma­ti­on of He­li­os wi­thout any deep tech­ni­cal know­ledge or la­bo­ra­to­ry-li­ke pre­re­qui­si­tes. Dis­play­ing and pro­ces­sing trusted in­for­ma­ti­on in an un­trust­wor­thy user agent can lead to the issue that most pro­tec­tion me­cha­nis­ms are use­l­ess. In our ap­proach of at­ta­cking He­li­os vo­ting sys­tems we do not rely on an al­re­a­dy in­fec­ted or tro­ja­ni­zed ma­chi­ne of the user, in­s­tead we use sim­ple and com­mon­ly known web brow­ser fea­tures to le­ver­a­ge in­for­ma­ti­on dis­clo­su­re and state mo­di­fi­ca­ti­on at­tacks. We pro­po­se that on­line vo­ting ap­p­li­ca­ti­ons should at least fol­low the la­test vul­nerabi­li­ty miti­ga­ti­on gui­de­lines. In ad­di­ti­on, there should be tho­rough and fre­quent co­ver­a­ge with au­to­ma­ted as well as ma­nual pe­ne­tra­ti­ons tests in pri­va­cy sen­si­ti­ve ap­p­li­ca­ti­ons. E-Vo­ting soft­ware dri­ven by web brow­sers are li­kely to be­co­me an attrac­tive tar­get for at­ta­ckers. Suc­cess­ful ex­ploi­ta­ti­on can have im­pact ran­ging from large scale per­so­nal in­for­ma­ti­on le­a­ka­ge, fi­nan­ci­al da­ma­ge, ca­la­mi­tous­ly in­ten­ded in­for­ma­ti­on and state mo­di­fi­ca­ti­on as well as se­ve­re real life im­pact in many re­gards.

Tags: e-vo­ting