The South African National Elections will be held on 8 May 2019, and voters have been encouraged to register online through the Independent Electoral Commission (IEC) website.
The online portal has not always been the most secure platform, however, and a security flaw revealed in 2017 allowed attackers to potentially manipulate the registration system.
This week, MyBroadband was made aware of another security flaw affecting the IEC online registration portal – this time affecting those applying to vote from overseas.
Citizens who wish to vote in the 2019 elections while overseas must inform the IEC of their intention and submit a VEC 10 application online.
The VEC 10 application must be submitted through the elections registration portal before 13 March 2019 to be processed in time for the election.
There was a major security flaw in this system, though, which exposed the personal details of many South African voters.
After a VEC 10 application is completed and processed, voters are given a URL to access their receipt, This details whether their application was approved or declined.
However, this URL uses sequential numeric identifiers to access different application reports, and the recipient can simply change the number at the end of the URL provided to them to view other voters’ details.
There is no user authentication required to view any VEC 10 application report, and users do not need to complete an application themselves – they only require one user’s URL.
The nature of this vulnerability could allow attackers to scrape information from all VEC 10 applicants by iterating through each sequential numeric ID until no more results are found.
Judging from the populated reports of sequential URL IDs, MyBroadband found that there were over 36,000 application reports publicly accessible on the website.
These contained the following information for each voter:
- First Names
- Last Name
- South African ID number
- Province, Municipality, Ward, and District
- Cellphone number
- Email address
- Diplomatic mission
It is important to note that application reports for VEC 10 documents filed for this year’s elections and the 2014 elections are stored in the database.
After being alerted to the security flaw by MyBroadband, the IEC resolved the issue – which it said was caused by an attempt to address page expiry concerns.
“We have looked at the security flaw you identified, have attended to it, and it is resolved and eliminated,” said the IEC.
“It was an unintended attempt at addressing a page expiry concern.”
Following the IEC’s response, MyBroadband tested the fix and was no longer able to access the aforementioned voter details.