HKCERT is aware of the recent security issues found in the PopVote polling system deployed in early February 2017. Because of the security risks of exposure of Telegram data of the users, we advise the public not to use the system until the insecure implementation, which requests excessive privilege, is fixed, or use a new SIM card and new Telegram account when accessing the system.

The PopVote polling system is using Telegram, a popular instant messenger application, to authenticate the user’s device. If you are not a current Telegram user, you are brought to go through the registration process for a Telegram account and a verification code will be sent to you via SMS. However, if you happen to be a Telegram user and have even enabled the “2-step verification” feature, you are requested to provide your 2-step verification password to sign in before proceeding - this is where the issue lies!

Risks

1. PopVote is designed by the “session” concept to briefly use your Telegram account. PopVote can theoretically do anything with this session, much more than needed to authenticate the user and the mobile phone. For a current user who has submitted the 2-step verification password, if PopVote ever gets compromised or there is an insider attack, information leakage could be caused because it’s like you have granted a login session on another device. An attacker could possibly view all your chat history, tamper your chat messages or even send messages as you within that session.
2. It was first seen on 7-Feb that PopVote didn’t terminate the active session after a vote is completed. This could increase the risk of session-stealing by an attack if the system is compromised. (On 8-Feb, we saw the PopVote team updated the system to rectify this problem.)
3. If the 2-step verification password is the one you use for other online accounts, the leaked information could allow an attacker to gain access to your other accounts.

Advice

For people who have not voted in the polling:

1. Avoid using the PopVote system.
2. If you decide to access the system, we advise you to use a new SIM card and register a new Telegram account to use the system. Make sure you understand the whole mechanism (https://cast.popvote.hk/#/howthisworks) and Terms & Conditions.

For people who have voted in the polling:

1. If you are not a Telegram user, you can delete the Telegram account by following the steps provided by Telegram (https://telegram.org/faq#q-how-do-i-delete-my-account).
2. If you are a Telegram user, verify if there is any active session. If you find “PopVote …” in the active session list, use “Terminate all other sessions” to terminate it. You can check that in your Telegram app as follows:



 

3. Change the Telegram 2-step verification password and those of other online accounts if you happen to use the same one across these accounts.

Last but not least, beware of phishing links that utilize PopVote as a brand name. Always verify the URL before entering any sensitive information and do not just click the links received in emails or text messages.