Application Security , Critical Infrastructure Security , Endpoint Security

Academic Study Finds Security Flaws in Online Voting Tool

OmniBallot Voting Platform Is Vulnerable to Hacking, Researchers Say
Academic Study Finds Security Flaws in Online Voting Tool

Researchers at the Massachusetts Institute of Technology and the University of Michigan have uncovered multiple security flaws in an online voting platform called OmniBallot. These flaws could enable hackers to access and manipulate voter data, according to a paper published this week.

See Also: Safeguarding Election Integrity in the Digital Age

Currently, OmniBallot is used in Delaware, New Jersey and West Virginia, and is designed to allow military personnel to cast their ballots while overseas. In addition, the online voting platform lets those with disabilities vote during the ongoing COVID-19 pandemic, according to Democracy Live, which developed the platform.

The OmniBallot platform allows voters to download a blank ballot, mark it and then send it through either mail, fax or email for verification, according to Democracy Live. After the results of the joint study were published this week, Bryan Finney, founder and president of Democracy Live, disputed the results and said the platform had undergone security testing by a third party.

What the Researchers Found

The combined MIT and University of Michigan study found that the APIs used with the OmniBallot software and its transmission of voter data to Democracy Live's servers leaves several security loopholes that hackers can exploit to access this sensitive data.

This includes potentially exposing information on a voter's identity, ballot selections and browser history. In addition, since OmniBallot does not have a tool for verifying the submitted votes, the study finds that a hacker could intercept the data to manipulate votes and further use it for political ad targeting or disinformation campaigns.

"We conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection," Michael A. Specter and J. Alex Halderman, the two researchers who conducted the study, write.

Research Methodology

To analyze the software, the researchers say they reverse-engineered the publicly available elements of OmniBallot. To avoid the legal complications of connecting to a server containing actual voting data, the researchers used their own server to create a simulated voter system, according to the paper.

"Next, we iteratively reverse-engineered the code to understand each server API call and the format of the expected response, repeating this process until we could complete the voting process using a local stand-in server we created," according the paper.

The analysis revealed that these APIs are hosted in Amazon Web Services CloudFront - a cloud-based content delivery network. The app also loads JavaScript libraries from Google Analytics and Cloudflare, the paper notes.

From there, the researchers looked at three possible attack scenarios:

Through Voter's Device: The researchers note that any adversary can alter a voter's web browser activities by modifying HTTP requests or responses, or by injecting JavaScript into the context of the site. According to the study, client-side adversaries pose significant threats as attackers can use a bot or malware to infect a large number of OmniBallot voters' devices.

Server-Side Attacks: The researchers say the software's architecture makes server-side attacks "very powerful," as threat actors can use this method to steal private information and modify election data - including voted ballots - the study notes. This vulnerability could be exploited by software engineers and system administrators at Democracy Live, insiders at Amazon, which owns and operates the OmiBallot's physical servers, and external attackers who manage to breach the servers or Democracy Live's development systems, the report adds.

Risk of Third-Party Code: Since the software uses third-party software and services, the researchers note that the attackers can hijack JavaScript libraries to target voters and their data.

Manipulating Online Ballots

Since voters use OmniBallot to mark ballots online and then print them and return a physical ballot for tallying, the researchers note that these security vulnerabilities pose a great threat to blank ballot delivery, including misdirection and manipulation.

"OmniBallot's online ballot marking configuration could allow attackers to see the voter's selections before the ballot is generated, allowing them to surgically suppress votes for a particular candidate by misdirecting or modifying only those ballots," the study finds.

Another possible challenge is that hackers can compromise ballot secrecy by injecting code into the software, where they can then access and exfiltrate the voters' identity and ballot choices. Since OmniBallot does not use end-to-end verifiability, the researchers add that hackers could intercept the ballot return feature and change the vote to the threat actor's choice.

Democracy Live Pushes Back

After the study's results were published, Finney disputed the results in a statement: "The report did not find any technical vulnerabilities in OmniBallot. The authors take issue with online technologies in general relating to the transmission of ballots."

Finney told Information Security Media Group that a company called Shift State Security conducted penetration test of the OmniBallot platform and concluded the tool was secure.

"Shift State Security, led by a team of former FBI cybersecurity agents, reviewed all third-party penetration," Finney says. "Shift State has stated that no testing of OmniBallot resulted in compromise of the OmniBallot system."

Other Studies

In addition to the questions raised about OmniBallot, researchers found flaws in other voting apps as well. In February, another team of MIT researchers published a technical paper that describes several security flaws in Voatz, a smartphone app used for limited online voting during the 2018 U.S. midterm elections (see: MIT Researchers: Online Voting App Has Security Flaws).

The makers of the Voatz app contend that the research was flawed when it was published.

Another app used in the Iowa Democratic caucuses in February also malfunctioned, causing widespread confusion and the delay of results of that contest (see: The Iowa Caucus: No Hacking, But a Bungled Risk Matrix).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.