Communications of the ACM
Studying the Nedap/Groenendaal ES3B voting computer: a computer security perspective
EVT'07 Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology
Security analysis of the diebold AccuVote-TS voting machine
EVT'07 Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology
Hack-a-Vote: Security Issues with Electronic Voting Systems
IEEE Security and Privacy
Helios: web-based open-audit voting
SS'08 Proceedings of the 17th conference on Security symposium
Lightweight self-protecting JavaScript
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
RIES - Rijnland Internet Election System: A Cursory Study of Published Source Code
VOTE-ID '09 Proceedings of the 2nd International Conference on E-Voting and Identity
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
An Experience in Testing the Security of Real-World Electronic Voting Systems
IEEE Transactions on Software Engineering
The New Jersey voting-machine lawsuit and the AVC advantage DRE voting machine
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Electing a university president using open-audit voting: analysis of real-world use of Helios
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Protecting browsers from cross-origin CSS attacks
Proceedings of the 17th ACM conference on Computer and communications security
Web browser history detection as a real-world privacy threat
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Exploiting the client vulnerabilities in internet E-voting systems: hacking Helios 2.0 as an example
EVT/WOTE'10 Proceedings of the 2010 international conference on Electronic voting technology/workshop on trustworthy elections
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Improving remote voting security with codevoting
Towards Trustworthy Elections
Hi-index | 0.00 |
This paper briefly describes security challenges for critical web applications such as the Helios Voting system. After analyzing the Helios demonstration website we discovered several small flaws that can have a large security critical impact. An attacker is able to extract sensitive information, manipulate voting results, and modify the displayed information of Helios without any deep technical knowledge or laboratory-like prerequisites. Displaying and processing trusted information in an untrustworthy user agent can lead to the issue that most protection mechanisms are useless. In our approach of attacking Helios voting systems we do not rely on an already infected or trojanized machine of the user, instead we use simple and commonly known web browser features to leverage information disclosure and state modification attacks. We propose that online voting applications should at least follow the latest vulnerability mitigation guidelines. In addition, there should be thorough and frequent coverage with automated as well as manual penetrations tests in privacy sensitive applications. E-Voting software driven by web browsers is likely to become an attractive target for attackers. Successful exploitation can have impact ranging from large scale personal information leakage, financial damage, calamitously intended information and state modification as well as severe real life impact in many regards.