The University of Sydney Union Board Election was subject to a serious flaw on the first day of electronic voting which allowed potential attackers to vote on behalf of other electors.
The exploit was a rather simple one, owing itself to the lack of voter verification measures implemented by the USU and their vendor, BigPulse. I detected and disclosed it to the USU’s Electoral Officer last night, and it was patched early this morning. So how did it work?
All that any curious voter needed to do was: one, click on their own personalised link; two, copy the link it took them to into a new window; and then three, input a different USU number. Then you could vote on that person’s behalf! No passwords or identifiers needed.
So how do you obtain a valid USU number? Well, any society executive probably has a Google Sheet with a wealth of such student data. Any computer science student could probably write a quick script to brute-force all the possible permutations of USU numbers. It wouldn’t have been complicated to vote on every USU member’s behalf for the same candidate. I thought it would be more fun guessing numbers for a while.
I took the liberty of guessing some random numbers in the form “19XXXXX”. In two minutes of typing in random numbers, I was able to log in to a random member’s account without their personalised link. I then realised the USU’s Director of People and Culture attached her number to the email, so I tried to sign in as her. It worked! I did not vote for either of them, and as soon as I realised that this devious behaviour was possible, I alerted the USU.
No process is totally secure, and online processes are even less so. Despite this fact, online elections can be designed securely, and have been for both the USU and SRC. The contract between the USU and BigPulse is probably worth a considerable amount of our money. It would be interesting to know why the error was allowed to occur.
The USU has now added a password to this login page, which remains unknown. They are adamant in BigPulse’s analysis that this flaw wasn’t abused by anyone. Can they know that for sure? I don’t think so. Are they right? Probably.
UPDATE: USU President Prudence Wilkins-Wheat told Honi, “The University of Sydney Union has been using BigPulse as a secure platform for its nominations and elections for the past 11 years and is currently running the 2022 USU Elections for over 30,000 students on our system. “
“Yesterday we became aware of a misconfiguration in the system which allowed unauthorised activity to occur on a small number of voting accounts (less than 10). This was rectified immediately, and re-voting rights have been assigned to these accounts.”