PIT Statistics




Accepted Vulnerabilities


REDMINE ID: #153
SUBMISSION: Feb. 25th 2019, 12:51 (GMT+1)
RESEARCHER(S): muffinx & xorkwi
COMPENSATION: CHF 400.-

By inserting a crafted X-Forwarded-For HTTP header in the requests performed to some of the web services, an attacker was capable of inserting a chosen IP address into technical logs of the back-end system. No impact on the voting process has been demonstrated. It would however be a security best-practice to prevent this issue. According to Swiss Post this will be fixed in the future.

REDMINE ID: #166
SUBMISSION: Feb. 25th 2019, 14:06 (GMT+1)
RESEARCHER(S): Dodoche
COMPENSATION: CHF 100.-

Both HTTP (TCP/80) and HTTPS (TCP/443) ports are available on address 'pit-admin.evoting-test.ch'. Security best practices impose that, upon connecting to the cleartext HTTP port, clients should be automatically redirected to the encrypted (HTTPS) service instead. By blocking the client immediately instead of redirecting it, this system does not act in accordance to security best-practices.

REDMINE ID: #168
SUBMISSION: Feb. 25th 2019, 14:56 (GMT+1)
RESEARCHER(S): punitcingh
COMPENSATION: CHF 100.-

The landing page of the e-voting system uses a well-known front-end Web framework called Bootstrap. The used version of this framework - 4.2.1 - is affected by a known vulnerability potentially leading to Cross-Site Scripting (XSS) occurrences in some specific scenarios that don’t seem to apply here. However it is a security best-practice to use the latest version of a framework. The patch for this vulnerability (CVE-2019-8331) has been released on Feb. 15th 2019.

REDMINE ID: #175
SUBMISSION: Feb. 25th 2019, 16:25 (GMT+1)
RESEARCHER(S): PentestPeople_SN
COMPENSATION: CHF 100.-

The front-end systems accessible at https://pit.evoting-test.ch and https://pit-admin.evoting-test.ch support and accept HTTPS connections using a variety of ciphers including cipher suites provided by outdated and vulnerable versions of TLS (TLS 1.0/1.1).

While this may appear at first glance as a breach to security best practices, it is actually done on purpose and in a way that does not make the e-voting system vulnerable to flaws deriving from these weak cryptographic protocols. Indeed, connections using weak cipher suites are only accepted by the front-end (and not by the e-voting system itself) and are only used to display a message to the voters, instructing them to use a recent and up-to-date web browser. The e-voting system itself, on the other hand, only accepts connections using TLS 1.2 cipher suites.

However, some specific cipher suites that are part of TLS 1.2 (and accepted by the voting system), specifically those using block ciphers with CBC mode of operation, may be vulnerable to a padding oracle attack known as « Lucky13 ».

While this vulnerability is known to be mostly theoretic, and almost impossible to actually exploit outside of lab environments, it would be a security best practice to disable the use of these cipher suites altogether.

REDMINE ID: #179
SUBMISSION: Feb. 25th 2019, 18:16 (GMT+1)
RESEARCHER(S): paggio
COMPENSATION: CHF 100.-

The 'Expect-CT' header - which is currently an Internet Draft - has been proposed to allow sites opting in to reporting and enforcing Certificate Transparency requirements. The goal of this mechanism is to prevent the use of "rogue" certificates for a given domain from going unnoticed.

E-voting system does not implement this header and does thus not benefit from this mechanism.

Note that this header has not yet been formally adopted as a standard and may not be supported by all browsers yet.

REDMINE ID: #183
SUBMISSION: Feb. 25th 2019, 20:37 (GMT+1)
RESEARCHER(S): DROOPER
COMPENSATION: CHF 100.-

The Content-Security-Policy HTTP header declared by the e-voting system does not declare the 'base-uri' directive. By doing so, it lowers the protection (at the browser level) against the exploitation of hypothetical Cross-Site Scripting (XSS) vulnerabilities.

REDMINE ID: #188
SUBMISSION: Feb. 25th 2019, 23:19 (GMT+1)
RESEARCHER(S): Jacob.Rees-Earcher
COMPENSATION: CHF 200.-

When connecting to 'pit-admin.evoting-test.ch' on port 443, the server sends an HTTP-Strict-Transport-Security header even for plaintext HTTP connections, which is a violation of RFC 6797. The additional header also does not contain the 'includeSubdomain' directive, which would be a security best-practice.

REDMINE ID: #232
SUBMISSION: Feb. 28th 2019, 14:48 (GMT+1)
RESEARCHER(S): pitbull
COMPENSATION: CHF 100.-

The e-voting system declares a Content-Security-Policy HTTP header containing the 'unsafe-eval' and 'unsafe-inline' expressions. By doing so, it lowers the protection (at the browser level) against the exploitation of hypothetical Cross-Site Scripting (XSS) vulnerabilities.

REDMINE ID: #234
SUBMISSION: Feb. 28th 2019, 14:57 (GMT+1)
RESEARCHER(S): pitbull
COMPENSATION: CHF 100.-

Some error messages sent as responses by the web server (specifically, the '403 Forbidden' status code) include two identical occurrences of the 'X-XSS-Protection' security header. This behavior is non-standard, and could lead to undefined behavior in some browsers.

REDMINE ID: #257
SUBMISSION: Mar. 03rd 2019, 19:39 (GMT+1)
RESEARCHER(S): CodeTherapist
COMPENSATION: CHF 100.-

Both voter and admin portals use a well-known Javascript web framework named AngularJS.
The version of this framework used by the e-voting system is 1.6.9. While no vulnerability is currently known to affect this version, it is however not supported anymore and should thus be upgraded to a currently supported version.

REDMINE ID: #272
SUBMISSION: Mar. 07th 2019, 11:47 (GMT+1)
RESEARCHER(S): punitcingh
COMPENSATION: CHF 100.-

Upon reception of requests whose content has been tampered with, the server usually responds with an error message. In some specific cases (e.g. 422 status codes) this response may include two occurrences of the 'Strict-Transport-Security' HTTP header with inconsistent contents (the declarations on both headers are not identical).

This behavior is non-standard, and could lead to undefined interpretation of the 'Strict-Transport-Security' directives in some browsers. As HSTS preloading is used, this should however not cause insecure situations.

REDMINE ID: #285
SUBMISSION: Mar. 15th, 11:00 (GMT+1)
RESEARCHER(S): cryptopathe
COMPENSATION: CHF 100.-

The e-voting system accepts connections from clients (browsers) using TLS 1.2.
However, two specific cipher suites that are part of TLS 1.2 and accepted by the voting system do not provide forward secrecy:

TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256

These cipher suites are not weak or broken. However the lack of forward secrecy implies that decryption would be facilitated in the future if at some point an attacker has access to the encryption keys used by e-voting server. This does not apply to the encryption of the votes, which would remain secure.
Note that these cipher suites will generally only be used by the server and the clients if no stronger and better cipher suite is supported by both of them.

REDMINE ID: #294
SUBMISSION: Mar. 19th 2019, 00:48 (GMT+1)
RESEARCHER(S): 0x34044[REDACTED FOR PRIVACY]
COMPENSATION: CHF 100.-

Some HTTP responses sent by the e-voting system are missing the charset parameter in the Content-Type header.

While this does not currently have any known impact, it is however a breach of secure development best practices.

REDMINE ID: #295 (b)
SUBMISSION: Mar. 19th 2019, 00:59 (GMT+1)
RESEARCHER(S): 0x34044[REDACTED FOR PRIVACY]
COMPENSATION: CHF 100.-

Some responses from the e-voting server - specifically "302 Redirect" re-directions - are missing Content Security Policy HTTP headers. They are thus inconsistent with the rest of the application and in breach of security best practices.

REDMINE ID: #296
SUBMISSION: Mar. 19th 2019, 12:27 (GMT+1)
RESEARCHER(S): 0x34044[REDACTED FOR PRIVACY]
COMPENSATION: CHF 100.-

One specific endpoint of the e-voting system - /extended_authenticate - accepts 'text/plain' content-type instead of the 'application/json' observed for other endpoints.

Because of this and due to the fact that for 'text/plain' content-type, the browser does not perform a "pre-flight" CORS check, it is possible to perform requests to this endpoint from any arbitrary origin domain.

While the usefulness of this attack appears to be very limited, it may nevertheless constitute a breach to security best practices.

REDMINE ID: #318
SUBMISSION: Mar. 25th 2019, 14:37 (GMT+1)
RESEARCHER(S): kili
COMPENSATION: CHF 100.-

Upon connection attempts to http://pit-admin.evoting-test.ch/ (using plain HTTP) the server responds with a '403 Forbidden' response effectively rejecting the connection attempt. This response does however not define a Content Security Policy (CSP) header, thus breaching security best practices.



Countries


Country Percentage
         Switzerland 26.48 %
         France 13.15 %
         United States of America 6.84 %
         Germany 4.49 %
         India 4.36 %
         Poland 2.89 %
         United Kingdom 2.89 %
         Canada 2.82 %
         Italy 2.54 %
         Spain 2.13 %
         Romania 1.44 %
         Turkey 1.41 %
         Ukraine 1.32 %
         Bulgaria 1.26 %
         Belgium 1.16 %
         Netherlands 1.16 %
         Hungary 1.00 %
          Others 22.66 %