TYPE
infoleak
This is vote timestamp leak that affects voters who voted through SecurePoll. The exact voting time was leaked without encryption.
STATUS
ISSUE DISCOVERED:
2 JAN 2022
ISSUE REPORTED:
2 JAN 2022
ISSUE FIXED:
20 JAN 2022
CONFIRMED FIXED:
6 FEB 2022
As of 6 Feb 2022, the issue has been resolved. Attackers will be unable to access the exact voting time of a user.
DESCRIPTION/ ENVIRONMENT
ENVIRONEMNT:
AFFECTS:
AREA:
CHROME 96 (issue was reproducible in all browser environment)
Websites that use MediaWiki software and installed the SecurePoll extension
SecurePoll component
STEPS TO REPRODUCE
The steps to produce were bounded by an NDA. Please refer to CVE-2022-28323 for the reproduction details (if it is released).
EXPECTED RESULT
Users should be unable to determine the exact voting time of a user
ACTUAL RESULT
Users are able to determine the exact voting time of a user