Abstract
This paper briefly describes security challenges for critical web applications such as the Helios Voting system. After analyzing the Helios demonstration website we discovered several small flaws that can have a large security critical impact. An attacker is able to extract sensitive information, manipulate voting results, and modify the displayed information of Helios without any deep technical knowledge or laboratory-like prerequisites. Displaying and processing trusted information in an untrustworthy user agent can lead to the issue that most protection mechanisms are useless. In our approach of attacking Helios voting systems we do not rely on an already infected or trojanized machine of the user, instead we use simple and commonly known web browser features to leverage information disclosure and state modification attacks. We propose that online voting applications should at least follow the latest vulnerability mitigation guidelines. In addition, there should be thorough and frequent coverage with automated as well as manual penetrations tests in privacy sensitive applications. E-Voting software driven by web browsers is likely to become an attractive target for attackers. Successful exploitation can have impact ranging from large scale personal information leakage, financial damage, calamitously intended information and state modification as well as severe real life impact in many regards.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Adida, B.: benadida/helios-server - GitHub (2011), https://github.com/benadida/helios-server
Adida, B.: Helios: Web-based open-audit voting. In: Proceedings of the 17th USENIX Security Symposium, Security 2008 (2008)
Mozilla Foundation: LiveConnect (MDC Documentation) (2011), https://developer.mozilla.org/en/LiveConnect
Haber, S., Benaloh, J., Halevi, S.: The Helios e-Voting Demo for the IACR (2010), http://www.iacr.org/elections/eVoting/heliosDemo.pdf
Johns, M.: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross-site Scripting. PhD thesis, University of Passau, Passau (2009)
Balduzzi, M.: New insights into clickjacking. In: OWASP AppSec Research (2010)
Stone, P.: Next Generation Clickjacking (2010), https://media.blackhat.com/bh-eu-10/presentations/Stone/BlackHat-EU-2010-Stone-Next-Generation-Clickjacking-slides.pdf
Estehghari, S., Desmedt, Y.: Exploiting the client vulnerabilities in internet E-voting systems: hacking Helios 2.0 as an example. In: Proceedings of the 2010 International Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE 2010 (2010)
Niemietz, M.: UI redressing: Attacks and countermeasures revisited (2011), http://ui-redressing.mniemietz.de/uiRedressing.pdf
Raskin, A.: Tabnabbing: A new type of phishing attack (2010), http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
Krebs, B.: Devious new phishing tactic targets tabs (2010), http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In: Proc. of the 30th IEEE Symposium on Security and Privacy (Oakland 2009), Oakland (2009)
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web (2010)
Heiderich, M.: <malicious> </markup>: HTML form controls reviewed (2008), http://maliciousmarkup.blogspot.com/2008/11/html-form-controls-reviewed.html
Phung, P.H., Sands, D., Chudnov, A.: Lightweight Self-Protecting javascript. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS) (March 2009)
OWASP: Enterprise security API (2011), http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Masinter, L.: RFC 2397 - the “data” URL scheme (1998), http://www.ietf.org/rfc/rfc2397.txt
Huang, L., Weinberg, Z., Evans, C., Jackson, C.: Protecting browsers from Cross-Origin CSS attacks. In: Proc. of the 17th ACM Conference on Computer and Communications Security, CCS 2010 (2010)
heliosvoting.org: Helios v1 and v2 Verification Specs (2011), http://documentation.heliosvoting.org/verification-specs/helios-v1-and-v2-verification-specs
Ayenson, M., Wambach, D.J., Soltani, A., Good, N., Hoofnagle, C.J.: Flash cookies and privacy ii: Now with html5 and etag respawning (2011), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1898390
Janc, A., Olejnik, L.: Web Browser History Detection as a Real-World Privacy Threat. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 215–231. Springer, Heidelberg (2010)
Weinberg, Z., Chen, E.Y., Jayaraman, P.R., Jackson, C.: I still know what you visited last summer (2011), http://websec.sv.cmu.edu/visited/visited.pdf
Ross, D.: IE8 security part IV: the XSS filter - IEBlog (2008), http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
Maone, G.: IE’s XSS filter creates XSS vulnerabilities (2009), http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/
MSDN: MIME type detection in internet explorer (2011), http://msdn.microsoft.com/en-us/library/ms775147v=vs.85.aspx
Mozilla Foundation: The X-Frame-Options response header (MDC Documentation) (2010), https://developer.mozilla.org/en/the_x-frame-options_response_header
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities on popular sites. In: Web 2.0 Security and Privacy 2010 (W2SP 2010) (2010)
Li, J., Schmidt, C., Crawford, B.: Clickjacking defense (2011), https://www.codemagi.com/blog/post/194
Silin, A.: HTML5 security cheatsheet: MHTML Attacks (2011), http://html5sec.org/?mhtml
Bannet, J., Price, D.W., Rudys, A., Singer, J., Wallach, D.S.: Hack-a-vote: Security issues with electronic voting systems. IEEE Security & Privacy 2, 32–37 (2004)
Kohno, T., Stubblefield, A., Rubin, A.D., Wallach, D.S.: Analysis of an electronic voting system. In: Proceedings of the 25th IEEE Symposium on Security and Privacy, Oakland 2004 (2004)
Feldman, A.J., Halderman, J.A., Felten, E.W.: Security analysis of the Diebold AccuVote-TS voting machine. In: Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology (2007)
Gonggrijp, R., Hengeveld, W.: Studying the Nedap/Groenendaal ES3B voting computer: a computer security perspective. In: Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology (2007)
Bishop, M., Wagner, D.: Risks of e-voting. Communications of the ACM 50 (2007)
Appel, A.W., Ginsburg, M., Hursti, H., Kernighan, B.W., Richards, C.D., Tan, G., Venetis, P.: The new jersey voting-machine lawsuit and the AVC advantage DRE voting machine. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections, EVT/WOTE 2009. USENIX Association (2009)
Balzarotti, D., Banks, G., Cova, M., Felmetsger, V., Kemmerer, R., Robertson, W., Valeur, F., Vigna, G.: An Experience in Testing the Security of Real-World Electronic Voting Systems. IEEE Transactions on Software Engineering 36 (2010)
Volkamer, M., Alkassar, A., Sadeghi, A.R., Schulz, S.: Enabling the application of open systems like PCs for online voting. In: Proceedings of the Workshop on Frontiers in Electronic Elections 2006 (2006)
Joaquim, R., Ribeiro, C., Ferreira, P.: Improving Remote Voting Security with CodeVoting. In: Chaum, D., Jakobsson, M., Rivest, R.L., Ryan, P.Y.A., Benaloh, J., Kutylowski, M., Adida, B. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 310–329. Springer, Heidelberg (2010)
Burmester, M., Magkos, E.: Towards secure and practical E-Elections in the new era. In: Secure Electronic Voting. Advances in Information Security, pp. 63–76 (2003)
Pasquinucci, A.: Web voting, security and cryptography. Computer Fraud & Security 2007, 5–8 (2007)
Hubbers, E., Jacobs, B., Schoenmakers, B., van Tilborg, H., de Weger, B.: Description and analysis of RIES (2008), http://www.win.tue.nl/eipsi/images/RIES_descr_anal_v1.0_June_24.pdf
Gonggrijp, R., Hengeveld, W.-J., Hotting, E., Schmidt, S., Weidemann, F.: RIES - Rijnland Internet Election System: A Cursory Study of Published Source Code. In: Ryan, P.Y.A., Schoenmakers, B. (eds.) VOTE-ID 2009. LNCS, vol. 5767, pp. 157–171. Springer, Heidelberg (2009)
Cortier, V., Smyth, B.: Attacking and fixing Helios: An analysis of ballot secrecy. Technical Report 2010/625 (2010)
Adida, B.: Attacks and Defenses - Helios (2011), http://documentation.heliosvoting.org/attacks-and-defenses
Adida, B., De Marneffe, O., Pereira, O., Quisquater, J.: Electing a university president using open-audit voting: analysis of real-world use of helios. In: Proceedings of the 2009 Conference on Electronic Voting Technology/Workshop on Trustworthy Elections (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Heiderich, M., Frosch, T., Niemietz, M., Schwenk, J. (2012). The Bug That Made Me President a Browser- and Web-Security Case Study on Helios Voting. In: Kiayias, A., Lipmaa, H. (eds) E-Voting and Identity. Vote-ID 2011. Lecture Notes in Computer Science, vol 7187. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32747-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-32747-6_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32746-9
Online ISBN: 978-3-642-32747-6
eBook Packages: Computer ScienceComputer Science (R0)