However, this is an implementation of the “Networking and Cryptography“ (NaCi), cryptography library created by the mathematician Daniel J. Bernstein and cryptographers Tanja Lange and Peter Schwabe.
As per the report, the voting system relied on the so-called deterministic encryption, which means that using the same parameters lead to identical ciphertexts.
Both the sender and the receiver received a shared key, which could be used for encryption or decryption of the message. Any constituent could theoretically decipher their own vote before it would get decrypted by the electoral commission, or even allow third parties to do so. In order to do that, the voter had to save their private key.
Likewise, to retrieve the private key, the constituent had to go to the e-bulletin page, open the developer console in their web browser and make a minor adjustment to the election.js library (add logpoint, enter: voter secret key is’, encryptor.keyPair.secretKey) and then cast their vote.
It has been analyzed that Meduza conducted an experiment where all participants retrieved their private keys and were reportedly able to decipher all of the votes as a result.
According to the publication, the vulnerability theoretically allows employers to make sure that their employees voted, and even check their votes after inducing them to save their private keys, as there have been reports suggesting that state-funded entities in Russia push their employees to vote at the government’s request.
In contrast, the same bug could be used to increase the transparency of the vote in the scenario where the electoral commission refuses to publish the decryption of each vote, as it did after the Moscow City Duma election in 2019, where blockchain was also supposedly used.
Thus, Meduza stated:
“For example, supporters of one specific candidate may agree to install the same browser extension. That way, they can track the minimum number of votes that their candidate should definitely get after the count.”