Don’t share your direct WebElect link
UG voting system sensitive to fraud
Students have been able to vote online in the election for the university council and the various faculty councils since Monday. All students received an email with a link to the voting system WebElect. After clicking ‘vote now’, students have to select their university and log in using their student number and password.
It’s very straightforward. But sharing the direct link to the WebElect online environment is a problem, since that URL contains both a student’s number and their password, bypassing the login screen. If you copy the link and share it with someone, that person can access your private voting page.
Computer program
The solution seems simple: just don’t share your personal link with anyone. But David Jan Meijer with De Vrije Student says there’s a bigger issue at play: ‘Since I now know what students’ usernames and passwords look like, I could write a computer program that gives me access to all the students’ login information for WebElect. Then I’d be able vote for every student who hasn’t done so yet.’
Meijer had noticed the issue when the students up for election filled out their candidate lists a few weeks ago, and he contacted WebElect. ‘After a few difficult conversations, they said they wouldn’t be able to fix it before the elections. I haven’t been able to reach them since.’
Deliberate choice
The university acknowledges the issue. ‘If a student copies the link and shares it with a friend, that friend does indeed have access to the first person’s private voting page’, a spokesperson writes. ‘It would be better it this wasn’t the case, even if someone made a deliberate choice to share the URL.’
Once a student has voted, this vote can’t be changed. The page then says the option to vote no longer exists. It’s also not shown which party and which person the student voted for.