There have been a attainable assault found on a system (IVXV on-line voting) that relies on customers importing a malicious voting software which might pretend a failure then a restart to get the person’s credentials twice (this manner it should get the verifying QR code for the person’s selection,disguise it for a short time, then vote once more utilizing the second credentials it acquired through the faked failure)
.
My query is Can session ID monitoring detect this assault?
.
Particularly, this code they added in final Could?
https://github.com/valimised/ivxv/blob/revealed/voting/inside/sessionstatus/rpc/consumer.go#L103
.
Is the issue solved this manner?
I imply I do know this code is ready to detect a change in session ID, however will this forestall the malicious software from deceiving the person right into a second vote since it should have the identical session ID? Or a malicious software would have one other methods to beat this?
2- a second comply with up query: suppose it did detect and therefore prevented deceiving the voter right into a second vote, Can the server create one other communication channel to tell the voter that he/she is utilizing a malicious software?
Thanks
There have been a attainable assault found on a system (IVXV on-line voting) that relies on customers importing a malicious voting software which might pretend a failure then a restart to get the person’s credentials twice (this manner it should get the verifying QR code for the person’s selection,disguise it for a short time, then vote once more utilizing the second credentials it acquired through the faked failure)
.
My query is Can session ID monitoring detect this assault?
.
Particularly, this code they added in final Could?
https://github.com/valimised/ivxv/blob/revealed/voting/inside/sessionstatus/rpc/consumer.go#L103
.
Is the issue solved this manner?
I imply I do know this code is ready to detect a change in session ID, however will this forestall the malicious software from deceiving the person right into a second vote since it should have the identical session ID? Or a malicious software would have one other methods to beat this?
2- a second comply with up query: suppose it did detect and therefore prevented deceiving the voter right into a second vote, Can the server create one other communication channel to tell the voter that he/she is utilizing a malicious software?
Thanks
