Votes can be submitted with the same ciphertexts

[pleasework-sh]

Testing was done in the mock election live during DEFCON32.

If you intercept your POST request to the /api/submit-vote endpoint after you've made your selections, you can just resend the same ciphertexts.

On the election status page, they show up as different votes, but the same ciphertexts. They also end up having the same verification numbers.

See the below for the sample POST request.

POST /api/submit-vote HTTP/2
Host: siv.org
Content-Length: 1603
Sec-Ch-Ua: "Chromium";v="121", "Not A(Brand";v="99"
Accept: application/json
Content-Type: application/json
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Sec-Ch-Ua-Platform: "Linux"
Origin: https://siv.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://siv.org/election/1723075118561/vote?auth=link
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i

{"auth":"link","election_id":"1723075118561","encrypted_vote":{"film_Hackers":{"encrypted":"de5d230d05fd6a919bf5f385670e1c256fe59ab11cc1fead3985573715b42020","lock":"4ab6b13b8a28363c05eca5e55f7d3f4ffb34ace66cc78c884662834e9d8d4b47"},"film_Sneakers":{"encrypted":"f28840b891fb2f1e2464fdd1348a83af1bd5235b61328a845046c42f894cc578","lock":"70349bbe7760bf4888debbd289a6153aeab3b80932a60a3e6ab34976b123ce45"},"film_WarGames":{"encrypted":"42b62cbfa0f72bca1bc0afe97d15aa157116d768029a89f4f56cddb7bfaf552f","lock":"84412d9e6801063062103e8bc89d91b8259a8bf1c00e34efc7a798404426936e"},"film_The Matrix":{"encrypted":"c65fbe063a1964fdba595253753cd4c4151bbda8e3a50baef1bb773875b6f84b","lock":"664ab05561c269d0aefef797ccda2471ece660288ccd523dd73c1419e17cf63d"},"film_Ghost in the Shell":{"encrypted":"1ce490931351eca7fdd8eef332a4e4bb1e845356d4244eba5e696d97bcc4c776","lock":"50e3d6bc8d35d972d94a485e1d0e73ce904ed86998f7147470544fd04aed4151"},"film_Blackhat":{"encrypted":"70a14035d60140fb803d0d82f2fa007303fc0966e6d768e287ea1af7e47e934f","lock":"743872584416ead1de30ca0dec45146d7ef4172ab5a2d5702426e6b170477b1f"},"film_Swordfish":{"encrypted":"fe834d77bc051359fac121adc8c2a924b886800ed6e6ab9dfad4ac28df608a39","lock":"82c9a25961d9a3f20d0c1a5282f1f183722a19003459c6771c29e51e9f9f985e"},"whitespace":{"encrypted":"aecc0da8a9af5eaa4bf25b175973b4493debe11fb67e1df958c7bd20e4183515","lock":"4045c5d9dced438d0ec29765f17530cd5005274c674aa9cad3e4345649e0b131"},"lang":{"encrypted":"107e0aa844e4a27186516d3bd1e26cab9beb0d7d678f6ab411c522837a024665","lock":"fa4a14e7816115c0787f66158f2abcf044d8a0c2226f7b8c6384081aef330a0e"}}}

Sample request in burp suite repeater that you can use to resend POST requests.

See the votes that show up with the same ciphertexts here.

After you enter your information in the /auth page multiple times, your verification number ends up the same even though you technically voted multiple times and entered your information to the /auth page with different ID's.

Maybe additional device verification checks would be in order? (EX - looking at the request IP - if the request keeps coming from the same IP, same browser - don't allow that to be submitted.)

[pleasework-sh]

This makes me question if you can trust who submitted the vote potentially. Just thinking out loud.

[dsernst]

Check out https://github.com/siv-org/siv/issues/69 !

[pleasework-sh]

Ah, I didn't look far back enough. I'll check past issues before submitting. Thanks!

[arianabuilds]

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $22.68 from SIV and $67.14 from the Public Vote, for a total of $89.82.

Here's what we noted in our evaluation:

What's interesting about this submission

• Almost rediscovered a very clever theoretical privacy attack we knew about, called the "Cloned Ciphertext Attack" https://github.com/siv-org/siv/issues/69

What takes away from it

• Not clear what the reported attack is exactly.
• As reported, pretty straightforward to mitigate.
• Costs one Voter Auth Token to carry out, not exactly cheap
• The report says "can't tell who votes came from", but the vote content isn't meant for authentication. The auth tokens are. The ciphertext has no impact on auth.
• The theoretical privacy attack that they almost rediscovered was a known issue we had already been exploring https://github.com/siv-org/siv/issues/69 for a long time.

Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/5