Credential Attacks in Ontario’s Online Elections
摘要
We propose two novel voter authentication attacks in the context of the 2022 Ontario Municipal Election, which offered online voting to almost four million voters in over 200 municipalities. One attack exploits a misconfiguration in one of the voting portals used by up to one million voters. It was mitigated through a successful coordinated vulnerability disclosure that we conducted with the affected vendor during the election period. The other attack exploits widespread and insecurely discarded login credentials. This attack affects the vast majority of the deployments examined, and we study and quantify the risk for each city individually. In both cases, the risks were aggravated by unique, context-dependent factors, which we detail. Finally, toward quantifying this risk, and absent the availability of this data elsewhere, we present a comprehensive census of online deployments used in the province.