CVE-2020-8989

Name of the Vulnerable Software and Affected Versions Voatz application 2020-01-01 for Android

Description The issue allows remote attackers to discover a voter's choice by sniffing the network, as the amount of data transmitted during a single vote depends on the different lengths of metadata across available voting choices. For instance, a small amount of sniffed data may indicate a vote for the candidate with the least metadata. An active man-in-the-middle attacker can exploit this behavior to disrupt voters' abilities to vote for a candidate opposed by the attacker.

Recommendations For the Voatz application 2020-01-01 for Android, consider implementing encryption to protect the metadata and prevent attackers from discovering voting choices by sniffing the network. As a temporary workaround, restrict access to the voting functionality until a patch is available to address the metadata length issue.