Post by Hockey on Apr 12, 2020 5:12:33 GMT
So fionn came to me today with an interesting question: Someone posted the Votifier public key for another server, how would I use this to create fake votes? Because Votifier is open source, I took a look at the source, and it turns out, it's actually quite easy.
Votifier uses public key cryptography to manage voting. It generates a keypair, and server owners give the public key to voting sites. Voting sites encrypt a message about a voter and send it to the server when a player votes. This said, Votifier does not make proper use of public key cryptography. The same level of security could be achieved with symmetric cryptography. Anyone with access to the public key can spoof votes to a server (whereas with proper implementation, a public key should typically be able to be public). This is because Votifier does not verify that votes are cryptographically signed by a legitimate vote site. I wrote more about it at my project repo here. I guess this technically isn't a full "hack", per se, because it requires that you gain access to the public key, but this tool makes it extremely easy to exploit Votifier's poor cryptography scheme.
Anyone interested should check out my repo here: github.com/Hockeyfan360/Votifier-Spoofer
as well as this class here which lays out how Votifier votes are received and decrypted: github.com/vexsoftware/votifier/blob/master/src/main/java/com/vexsoftware/votifier/net/VoteReceiver.java
That's all. Please comment and like so I can feel validated. kbye
Votifier uses public key cryptography to manage voting. It generates a keypair, and server owners give the public key to voting sites. Voting sites encrypt a message about a voter and send it to the server when a player votes. This said, Votifier does not make proper use of public key cryptography. The same level of security could be achieved with symmetric cryptography. Anyone with access to the public key can spoof votes to a server (whereas with proper implementation, a public key should typically be able to be public). This is because Votifier does not verify that votes are cryptographically signed by a legitimate vote site. I wrote more about it at my project repo here. I guess this technically isn't a full "hack", per se, because it requires that you gain access to the public key, but this tool makes it extremely easy to exploit Votifier's poor cryptography scheme.
Anyone interested should check out my repo here: github.com/Hockeyfan360/Votifier-Spoofer
as well as this class here which lays out how Votifier votes are received and decrypted: github.com/vexsoftware/votifier/blob/master/src/main/java/com/vexsoftware/votifier/net/VoteReceiver.java
That's all. Please comment and like so I can feel validated. kbye