Skip to main content

Posts

Showing posts from January, 2022

Finding vulnerabilities in Swiss Post’s future e-voting system - Part 1

In September '21, I came across this story  "Swiss Post Offers up to €230,000 for Critical Vulnerabilities in e-Voting System" while catching up with the security news.  The headline certainly caught my attention as it looked like an outlier from the regular bug bounty programs or well-known exploit contests, not only for the announced rewards but mainly because of the target. So essentially Swiss Post , the national postal service of Switzerland, was opening to the general public a bug bounty program, using the YesWeHack platform, intended to uncover vulnerabilities in its future e-voting system. The first part of this blog post series will detail the approach used to analyze the Swiss Post e-voting system, as well as the first round of vulnerabilities that I reported during September/October '21. Index Introduction Approach Attack Surface Vulnerabilities     1.  Insecure USB file handling during 'importOperation'     2.  Insecure 'ReturnCodeGenerationI