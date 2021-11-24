The application that records the votes of the PSDB (Partido da Social Democracia Brasileira) previews does not follow good cybersecurity practices for internet voting. Among the problems discovered, an attacker with access to the server could intercept the vote log and find out which candidate a party-affiliated candidate chose.

According to Prof. Dr. Paulo Matias, from the Department of Computing at the Federal University of São Carlos (UFSCar), recommends that the PSDB replace “the application currently used by an established, open-source and end-to-end verifiable platform, such as Helios Voting , to carry out their Preliminaries”.

Matias also comments that end-to-end verifiability is considered an essential requirement for an online voting system. “End-to-end verifiable systems like Helios provide a tracking code that provides a cryptographic guarantee to the voter that their vote was actually counted in the final result,” he adds.

The PSDB contracted Faurgs (Support Foundation of the Federal University of Rio Grande do Sul), via the Eduardo Leite (RS) government, for about R$ 6 million to “provision services of analysis, architecture, programming and testing of software products and applications and services specializing in new technologies”, according to LOOK. The app has been showing problems such as instability for a few days – the app became unstable on the 21st. The voting of the previews takes place until the 28th of November.

In an analysis published on Github, Paulo Matias makes it clear that he does not own the copyright of the screen layout or the logos shown below, in addition to noting that he did not have access to the server’s source code or to requests responses to the real server.

After analyzing the application, the teacher comments that the server has access to open voting. That is, the server has access to enough information to infer (depending on the software or hardware installed on it) which vote was cast by the voter.

O TechWorld contacted the PSDB on Tuesday afternoon (23) for a position on the case. When we have an answer, the news will be updated.

