A group of journalists have discovered a vulnerability in the blockchain-based system used for the recent Russian survey. In particular, the bug would cause users' ratings to be deciphered.
The report of the Russian media Meduza
On Wednesday, the last day of voting on constitutional amendments, the Russian media Meduza published research showing that the keys to deciphering the votes could be retrieved using the HTML code of the electronic vote.
Last week, the country voted to decide whether to approve or reject changes to Russia's constitution, the most striking of which lifted the two-mandate restriction for incumbent presidents, effectively allowing Vladimir Putin to stand for re-election until to 2036.
In two parts of the country, Moscow and the Nizhny Novgorod region, people had the opportunity to vote electronically. Their marks were recorded on the Exonum-based blockchain system created by the Moscow Information Technology Department with the help of Kaspersky Lab.
According to Meduza's findings, the ratings were encrypted using the TweetNaCl.js crypto library. This provides a deterministic algorithm, in the sense that with similar input data, the system generates the same crypto key which is used both to encode and to decode the vote.
Meduza claims to have independently found the two keys universally used to encode the votes "yes" and "no". This allowed his team to decode the voting data, which was published in CSV files by the Department of Information Technologies as the vote progressed.
This transparency was intended to help independent observers to verify the correctness of the counting of votes, but it could also be used to verify the way people voted, creating the conditions under which some might have felt compelled to vote in a certain way in the survey, wrote Meduza.
BBC doubts and hacker attack during the vote
The BBC previously reported that Moscow state companies had forced their employees to register for electronic voting and even to share their account credentials with supervisors.
Kaspersky Lab press officer Olga Bogolyubskay said the company has nothing to add to the department's official comment, claiming to have provided "specialized support to the Moscow Information Technology Department" along with other companies.
"We have significant experience in ensuring the security and transparency of online mass voting using blockchain technologies through our Polys platform," added Bogolyubskay.
Meduza's report is only the latest concern about the issue of voting system security. The Department of Information Technologies reported Friday that an "observation node" had been tampered with while the constitutional vote was underway.
However, according to independent election observers in Russia, there is no technical way to connect to the blockchain from the outside, as it worked entirely on the department's servers. In short, is the blockchain really safe as they say? And what do you use for buy Bitcoins securely? Let us know in the comments!
