Hacker discovered serious vulnerabilities in Dutch vote counting software

A Dutch hacker discovered serious vulnerabilities in the Dutch vote counting software, the Election Board revealed in a statement published on Tuesday. The identified risks have since been rectified.

This involves the OSV2020 software provided by the Electoral Board to facilitate Dutch elections. Political parties can use the software to prepare and submit their candidate lists to the Electoral Board.

In late June, the Electoral Board was notified of several vulnerabilities in the software. This alert came from independent security expert Maarten Boone from Zerocopter. He found that the separate program required to install the software contained the provider's internal passwords.

In a blog post, Zerocopter detailed how Boone conceived the idea of testing the election software over dinner in July. He downloaded it and used a tool to decompile the software. He then quickly gained access to all the credentials and the software builders' deployment environment. “All of the above took less than an hour,” Zerocopter noted.

Within half an hour of discovering the vulnerabilities, Boone had contacted the Electoral Council to notify them, and the issue was resolved a few days later. “Security mistakes can happen at any stage of your development process, and it’s a good thing to let hackers check it regularly,” Zerocopter added.

The Electoral Council stated that the vulnerabilities were addressed before parties downloaded the software for the upcoming November election.

“The Electoral Board is grateful to Maarten Boone for his report,” stated Wim Kuijken, the chairman of the Electoral Board.