Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

MIT Researchers Find Vulnerabilities in Voatz Voting App

Vulnerabilities in the Voatz Internet voting app could allow adversaries to alter, stop, or expose a user’s vote, security researchers from the Massachusetts Institute of Technology (MIT) have discovered. The vendor, however, has disputed their findings.

Vulnerabilities in the Voatz Internet voting app could allow adversaries to alter, stop, or expose a user’s vote, security researchers from the Massachusetts Institute of Technology (MIT) have discovered. The vendor, however, has disputed their findings.

The application was used during the 2018 midterm elections in West Virginia, and was also deployed in elections in Denver, Oregon, and Utah. It was also used at the 2016 Massachusetts Democratic Convention and the 2016 Utah Republican Convention.

Developed by the private Boston-based Voatz, the application is the first Internet voting app to have been used in high-stakes U.S. federal elections and is “on track to be used in the 2020 Primaries,” the researchers point out.

Voatz claims blockchain is used to ensure validity of votes, that votes are encrypted end-to-end and the identity of voters is anonymized. The company also says it can detect device compromise via jailbreak or malware, and that a cryptographically-signed digital receipt is delivered to the voter after the ballot has been submitted.

In their whitepaper (PDF), the researchers say that, due to a lack of transparency from Voatz, they “cannot make assumptions about what Voatz logs to their blockchain, the operational security of their servers, blockchain, or cryptographic keys used.”

Thus, the research focused on specific attacks that assumed the role of an adversary with control over parts of the election system, such as an individual’s device or Voatz’s API server, or the network activity between the voter’s device and the API server.

An attacker with root privileges on the device could disable Voatz’s host-based protections and alter the user’s vote without their knowledge, expose their private ballot, and exfiltrate the user’s authentication data, the researchers say.

Despite the optimistic use of blockchain (where all necessary security mechanisms are employed), Voatz’s API server could surreptitiously alter, view, or “invent” communications with the user’s device, and could execute man-in-the-middle attacks.

The researchers also claim that an adversary able to view the user’s network activity, without access to any key material, may at least learn how the user voted, because the app leaks the length of the plain-text.

Additionally, the researchers explain that both Voatz and Jumio are provided with user information that includes their email, physical address, birth date, IP address, a current photo, device model and OS version, and preferred language.

MIT researchers claim that, because Voatz restricts the use of their app on certain device models, adversaries may trick owners of unsupported devices into installing malicious apps via legitimate-looking websites. They also note that the app leaves users vulnerable to coercion attacks, as it does not require them to re-enter their PIN at login, after registration.

The researchers reported their findings to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). They also worked with election security officials within CISA and the vendor to ensure that all parties were aware of the discovered issues before the research was made public.

For their analysis, the MIT researchers reverse engineered the Voatz Android application and used a clean-room reimplementation of Voatz’s server. They chose not to dissect the application version offered through Voatz’s bug bounty program on HackerOne, saying the differences between the two versions were unclear.

The researchers also mention the company’s unwillingness to provide details on their system and threat model, despite calls from security researchers and elected representatives. In 2018, Voatz contacted the FBI after a researcher from the University of Michigan performed a dynamic analysis of their application.

“This opaque stance is a threat to the integrity of the electoral process. Given the contentious nature of high-stakes elections, the stringent security requirements of voting systems, and the possibility of future interference by foreign government intelligence agencies, it is crucial that the details of any fielded election system be analyzable by the public,” the researchers note in their whitepaper.

Voatz, however, claims that the MIT research is flawed to the bone. The company says the analyzed application is old and was never used in elections and that, because the app never connected to a Voatz servers, the researchers make “assumptions about the interactions between the system components that are simply false.”

The company also claims that it has been very open with “qualified, collaborative researchers,” which it educates “on the critical demands of election security.” While saying that it encountered no issues in the governmental pilot elections conducted to date, Voatz has attempted to smear MIT’s analysis, saying the researchers acted in bad faith.

“It is clear that from the theoretical nature of the researchers’ approach, the lack of practical evidence backing their claims, their deliberate attempt to remain anonymous prior to publication, and their priority being to find media attention, that the researchers’ true aim is to deliberately disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion,” Voatz says.

Related: Firm Analyzes China, Russia-based Supply Chain Risks of Electronic Voting Machines

Related: Second Critical Crypto Flaw Found in Swiss E-Voting System

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.