Table of Contents
Yogosha’s ethical hackers have tested the security of MaProcuration, the digital proxy voting system of the French Ministry of the Interior.
If you gave a proxy to a relative for the last French presidential or legislative elections, chances are you used maprocuration.gouv.fr. Created in 2021, the service simplifies applications for electoral proxies by dematerializing part of the procedure.
The system is accessible to all voters, and allows to make most of a proxy application directly online, after authentication via FranceConnect. To validate the procedure, the proxy grantor must then have his or her identity verified at a police station or consulate. This saves a lot of time, since all the information has already been entered.
If you are not familiar with digital methods, there’s no need to worry: the digital procedure complements the paper procedure without replacing it. In both cases, the proxy holder doesn’t have to do anything – except go to a polling station on election day!
Digital security at the core of MaProcuration
Obviously, the security of the digital tools provided to the French people is a major concern for the Ministry of the Interior, which is behind MaProcuration. The service has to deal with citizens’ data, and has to be impervious. It has therefore been thoroughly tested, to ensure that no vulnerability can be exploited by malicious actors.
For instance, PASSI tests were conducted prior to the deployment of the platform to identify potential vulnerabilities. Since then, the Ministry has been committed to a continuous monitoring process, with regular audits to ensure that no new vulnerabilities emerge. It is in this context that a bug bounty with Yogosha has been considered, under the impulse of the General Secretariat of the Ministry of the Interior and Overseas.
Ethical hackers to test the security of the platform
Bug bounty is a new vulnerability detection method. The idea is simple: call upon the community of ethical hackers to identify risks in systems. If a hacker discovers a vulnerability, he receives a bounty. If there are no detections, organizations have no expenses to incur. It’s simple and effective.
However, this doesn’t mean that anyone can participate. The Yogosha Strike Force is a community of veteran hackers, selected through testing and identity verification. Some of our hunters were subject to extra attention, and retained to participate in the bug bounty conducted on the MyProcuration platform.
“The audacity demonstrated by the MaProcuration teams in trusting ethical hackers marks a real paradigm shift in the approach to securing even the most sensitive information systems. The experience of this campaign allowed me to discover a new field of cyber risks related to regalian issues.” – Mathieu Bouvet, Lead CSM at Yogosha
E-Book: Bug bounty, the ultimate guide to a successful program
Learn how to build your Bug Bounty program, make it attractive and leverage hackers to identify high-risk vulnerabilities.
The field test of bug bounty
Bug bounty doesn’t replace other forms of auditing such as penetration testing; it complements them. It is important to continuously monitor the security of systems even after they have been put into production, whether to meet the challenges of agile development methods or to address the rapidly changing landscape of cyber threats. Hackers then provide that extra layer of security, intervening throughout the development and life cycle.
It is with this philosophy that MaProcuration was tested in real conditions, through a two-month contact with hackers. David Crochemore is Head of the digital transformation team for the department in charge of the elections at the Ministry of the Interior; he explains:
“For us, bug bounty was really complementary to other security tests and it brought its own added value. It allowed us to discover several vulnerabilities, which had not been seen before in the application. That being said, the vulnerabilities were neither numerous nor critical, which shows that we had done serious work.” – David Crochemore
We take this opportunity to remind you that since the 1st of January 2022, it is possible to give a proxy to a person registered on the electoral list of a different municipality from yours. Giving a proxy has never been so easy!
If you want to explore the topic of ethical hacking in the context of public service, we recommend you to read: