A vulnerability in a blockchain-based system used in Russia’s recent poll meant users’ votes could be decrypted, journalists found.
On Wednesday, the final day of a vote on constitutional amendments, Russian media outlet Meduza research showing the keys for decrypting votes could be retrieved using the HTML code of the electronic ballot.
Over the past week, the country has voted to approve or reject changes to Russia’s constitution, the most striking of which for presidents in office, effectively allowing Vladimir Putin to run for reelection until 2036.
In two parts of the country, Moscow and the region of Nizhny Novgorod, people had an option to vote electronically. Their votes were recorded on Exonum-based created by Moscow’s Department of Information Technologies with the help of Kaspersky Lab.
According to Meduza’s findings, votes had been encrypted using the TweetNaCl.js cryptographic library. This provides a deterministic algorithm, meaning that with similar input data, the system generates the same cryptographic key, which is used for both encoding and decoding the vote.
As such, Meduza said it was able to find the two keys that were universally used to encode the “yes” and “no” votes. This allowed its team to decode the voting data, which was being in CSV files by the Department of Information Technologies as the voting proceeded.