A Bug Discovered in Moscow’s Blockchain Based Polling System

A Bug Discovered in Moscow’s Blockchain Based Polling System

Blockchain
July 4, 2020 Editor's Desk
431
Russia’s new blockchain-based polling system might not be as secure as previously assumed. A recent report revealed a bug in the system that might be exploited to enable a third party to view how people voted. Russian journalists found a vulnerability in Moscow’s blockchain-based polling system. If exploited, users’ votes could be decrypted, unveiling how
blockchain-3019121_1920

Russia’s new blockchain-based polling system might not be as secure as previously assumed. A recent report revealed a bug in the system that might be exploited to enable a third party to view how people voted. Russian journalists found a vulnerability in Moscow’s blockchain-based polling system. If exploited, users’ votes could be decrypted, unveiling how they voted in the election.

The bug was reported on Wednesday by Meduza, a Russian online newspaper based in Riga. Meduza issued research claiming that by using the HTML code of the electronic ballot, the decryption keys for the votes can be retrieved. From June 25 to July 1, 2020, Russian citizens voted on whether they supported the proposed constitutional amendments. One of the changes is removing the two-term restriction for the Russian presidency, which would enable Vladimir Putin to stay in power until 2036.

Residents in the region of Nizhny Novgorod and Moscow had the choice to cast their votes electronically. In Moscow’s case, the city’s Department of Information Technologies and Kaspersky Lab built a polling system that recorded votes on an Exonum-based blockchain system. Poll data was encrypted utilizing TweetNaCl.js cryptographic library for security and to keep the electronic votes confidential. According to Meduza, the system utilized a deterministic algorithm to produce the same cryptographic key if similar input data.

Since the 2020 Russian constitutional referendum basically asked citizens to either vote “Yes” or “No,” there are two universally utilized keys in the system. Meduza declared that it was capable of decoding voting data issued in CSV files by the Department of Information Technologies utilizing the two keys. Issuing the CSV files was intended for usage by independent observers so they can confirm the vote count. But Meduza’s discovery indicated that third parties could verify how a particular person voted, which could mean that voters “may be pressured to vote a certain way in future polls.”

Nevertheless, the Department of Information Technologies opposed Meduza’s report. The department’s representative Artyom Kostyrko revealed that “people can only decode their own votes on their own devices,” which is contrary to the publication’s claim that one can decode any vote with the same cryptographic keys.

Related posts

Add a comment