• Security researchers found vulnerabilities in an online voting system that could let hackers alter votes without being detected by voters or elections officials, according to a report published Sunday.
  • The report, published by researchers at MIT and the University of Michigan, reveals serious security problems with an online voting application made by Seattle-based Democracy Live.
  • The online voting software is being used by some county and state governments in Colorado, Delaware, New Jersey, Florida, Ohio, Oregon, Washington, and West Virginia.
  • Online voting has typically been reserved for overseas voters, but could be expanded to more people given the COVID-19 pandemic. Some counties are expanding mail-in ballots, which experts say are less vulnerable to fraud.
  • Visit Business Insider’s homepage for more stories.

Researchers at the University of Michigan and MIT found that an online voting platform already being used in some states has serious vulnerabilities, which could be exploited to alter votes without voters or elections officials noticing.

The platform is OmniBallot, created by Seattle-based Democracy Live. It was used for statewide primaries in Delaware and West Virginia, and has also been used by various localities in New Jersey, Colorado, Florida, Oregon, and Ohio, according to The New York Times.

OmniBallot provides a portal for online voting, a relatively rare practice that has typically been reserved for overseas voters. However, some states are looking into expanding online voting to supplement in-person polls amid the COVID-19 pandemic. Other states are focusing more heavily on expanding mail-in ballots, a practice that experts say is less vulnerable to fraud.

Bad actors could compromise OmniBallot’s vote tallies by gaining access to Democracy Live’s servers or one of its third-party web service providers, including Amazon or Google, the researchers found. Such an attack could also be carried out by an insider working for Democracy Live.

"At worst, attackers could change election outcomes without detection, and even if there was no attack, officials would have no way to prove that the results were accurate," wrote the two researchers, Massachusetts Institute of Technology professor Michael Specter and University of Michigan professor J. Alex Halderman.

"No available technology can adequately mitigate these risks, so we urge jurisdictions not to deploy OmniBallot's online voting features," they added.

One of OmniBallot's biggest weaknesses, the researchers said, is that it provides an option for voters to submit ballots electronically without creating any secondary record of ballots that could be tallied to double-check elections results. By contrast, other high-tech voting systems like Microsoft's ElectionGuard are tied to printers that create physical copies of ballots in real time, which provide a paper record for elections officials.

At least seven states and 98 counties have already used OmniBallot. Of those, six governments - including the state governments of Delaware and West Virginia - enabled electronic ballot return without requiring physical copies of ballots.

Democracy Live did not immediately respond to Business Insider's request for comment. CEO Bryan Finney told The Times that "no technology is bulletproof" and that OmniBallot is meant to be used by those who can't vote by any other means.