A vulnerability in a blockchain-based system used in Russiaâs recent poll meant usersâ votes could be decrypted, journalists found.
On Wednesday, the final day of a vote on constitutional amendments, Russian media outlet Meduza published research showing the keys for decrypting votes could be retrieved using the HTML code of the electronic ballot.Â
Over the past week, the country has voted to approve or reject changes to Russiaâs constitution, the most striking of which eliminated the two-term restriction for presidents in office, effectively allowing Vladimir Putin to run for reelection until 2036.
Related: Russian Courts Canât Agree on Whether Crypto Is Property
In two parts of the country, Moscow and the region of Nizhny Novgorod, people had an option to vote electronically. Their votes were recorded on Exonum-based blockchain system created by Moscowâs Department of Information Technologies with the help of Kaspersky Lab.Â
According to Meduzaâs findings, votes had been encrypted using the TweetNaCl.js cryptographic library. This provides a deterministic algorithm, meaning that with similar input data, the system generates the same cryptographic key, which is used for both encoding and decoding the vote.Â
As such, Meduza said it was able to find the two keys that were universally used to encode the âyesâ and ânoâ votes. This allowed its team to decode the voting data, which was being published in CSV files by the Department of Information Technologies as the voting proceeded.Â
See also: Hacker Attempts to Disrupt Russiaâs Blockchain Voting System
Related: The IRS Wants to Know More About Privacy-Enhancing Crypto Coins, Tools
Such transparency was intended to help independent observers to check the correctness of the vote count, but can also be used to check how particular people voted â bringing the threat that they may be pressured to vote a certain way in future polls, Meduza wrote.
The BBC has previously reported that city-owned companies in Moscow had been forcing their employees to register for electronic voting and even share credentials for their accounts with supervisors.Â
The Department of Information Technologiesâ representative Artyom Kostyrko commented on Meduzaâs report Wednesday, saying people can only decode their own votes on their own devices. That contradicted Meduzaâs report, which said itâs possible to decode any vote using the same cryptographic keys.Â
The departmentâs press office did not respond to CoinDeskâs request for comment by press time.
Kaspersky Labâs press representative, Olga Bogolyubskay, told CoinDesk the company has nothing to add to the official comment by the department, but did say it has been providing âexpert support to the Moscow Department of Information Technology,â along with other companies.Â
See also: Russiaâs Ministry of Justice Latest to Criticize Proposed Crypto Ban
âWe have expertise and significant experience in ensuring the security and transparency of mass online voting using blockchain technologies through our Polys platform,â Bogolyubskay added.
Meduzaâs report is just the latest security concern with the voting system. The Department of Information Technologies reported Friday an âobservation nodeâ had been attacked while the constitutional vote was underway. However, according to independent elections observers in Russia, there is no technical way to connect to the blockchain from the outside, as it ran entirely on the departmentâs servers.
Related Stories
- âI Failed Terribly at Keeping My Identity Secretâ: Scott Alexander on the Value of Pseudonymity
- Cryptography Startup Brings Private Payment Channels to Tezos Blockchain
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
