We propose two novel voter authentication attacks in the context of the 2022 Ontario Municipal Election, which offered online voting to almost four million voters in over 200 municipalities. One attack exploits a misconfiguration in one of the voting portals used by up to one million voters. It was mitigated through a successful coordinated vulnerability disclosure that we conducted with the affected vendor during the election period. The other attack exploits widespread and insecurely discarded login credentials. This attack affects the vast majority of the deployments examined, and we study and quantify the risk for each city individually. In both cases, the risks were aggravated by unique, context-dependent factors, which we detail. Finally, toward quantifying this risk, and absent the availability of this data elsewhere, we present a comprehensive census of online deployments used in the province.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Credential Attacks in Ontario’s Online Elections

  • Eric Klassen,
  • James Brunet,
  • Nicole Goodman,
  • Aleksander Essex

摘要

We propose two novel voter authentication attacks in the context of the 2022 Ontario Municipal Election, which offered online voting to almost four million voters in over 200 municipalities. One attack exploits a misconfiguration in one of the voting portals used by up to one million voters. It was mitigated through a successful coordinated vulnerability disclosure that we conducted with the affected vendor during the election period. The other attack exploits widespread and insecurely discarded login credentials. This attack affects the vast majority of the deployments examined, and we study and quantify the risk for each city individually. In both cases, the risks were aggravated by unique, context-dependent factors, which we detail. Finally, toward quantifying this risk, and absent the availability of this data elsewhere, we present a comprehensive census of online deployments used in the province.