The Zimbabwe Election Commission (ZEC) Website. What went wrong?


September 3, 2018

One month ago, we released a digital forensic report documenting the website defacement of the Zimbabwe Election Commission (ZEC)

After a few weeks, we are  trying to put all the pieces together and try to bring some light into what happened with the Elections website. In the past couple weeks, we have reached out to the persons involved in the development of the ZEC website and after a few mail interactions, they have refused to provide us with further explanations.

 

What went wrong?

In the middle of May 2018, Kudakwashe Kawadza acting as systems support engineer from Africom partners with the company “Guagemode” to develop the website zec.org.zw for the 30th July elections.

“Guagemode” seems to act as a consultant for Africom, while Africom keeps direct connection with the client (ZEC).

 

Kudakwashe Kawadza

Unknown company

This relationship between a ICT solutions provider and consultants is not new but our first surprise was to find out that we could not even find that domain name of Guagemode guagemode.co.zw and the only record we could find was a simple Facebook page.

Guagemode is run by Kefasi Jaravasa, a young software developer with a BSc Honours Degree in Information Systems with Midlands State University that is currently taking courses to obtain his Masters. In the past Jaravasa has been intern in the Parliament and worked one year as a lectured in the Airforce.

 

 

 

 

 

Kefasi Jaravasa, that in the past has developed websites for other organizations including the Zimbabwe Democracy Institute (www.zimdem.org) and for some charity organizations and schools, reuses some of his old code that he developed for other clients as zimdem.org to quickly develop the site for ZEC.

During our research we could see that the code that he re-uses from Zimbabwe Democracy Institute has also the same vulnerabilities.

 

 

Quick and dirty development

Kefasi Jaravasa developed the ZEC internal website using PHP programming language from the scratch, re-using old code developed in the past without using any development frameworks that could help him hardening the security.

Just a few weeks before the national election the new website is moved into a “shared hosting” from Africom where other organizations as netguardsec.com or chisipoconsultants.co.zw host their sites.

 

Site gets defaced as a form of political protest

During the evening of 1st of August 2018, a hacker using the name @zim4thewin replaces the home page of the site. Within 15 minutes, ZEC puts the website down using the Africom control panel of the shared hosting (Cpanel) and replaces the altered home page of the site showing pictures of victims of riots in Harare for an existing backup copy.

During several days after the attack, the ZEC developer does not manage to identify the presence of existing backdoors in the website or all flaws used by the attacker to take over the website.

The mostly likely vulnerabilities exploited by the defacer were the poorly written Javascript code that did not protect the zec.org.zw admin area and the lack of sanitization on the file names or contents of different download and upload functions.

 

Heads up

Just after the security breach and after listening to the  press conference celebrated the 2nd of August 2018, we reached out to Kefasi Jaravasa and we disclosed and reported the security vulnerabilities we found so they could be quickly patched. During our conversations, he acknowledged that he was the developer of the website but he could not disclose for whom he was working for.

 

 

The last week of September 2018, we also reached out to Kudakwashe Kawadza (Africom link with ZEC) seeking further explanations about the unprofessional way that the website was developed and shared with both of them our findings.

Unanswered questions

We sent them these questions.

– Why ZEC chose Africom and Guagemode for the development of such sensitive website?

– Why the development was done in a hurry without proper dedicated hosting and security testing?

– What resources were dedicated to the website development?

– Why ZEC did not disclose the content of the defacement?

Kudakwashe Kawadza stated that he is no longer working for Africom and he has not been involved in the ZEC development at all.

Kefasi Jaravasa stated that he has no contact with Kudakwashe Kawadza and he is in fact working full time for Africom and Guagemode LLC is not a registered company and has nothing to do with the development.

When asked to give further details about the rest of the questions, they stopped answering.

 

Update 4th September 2017

Kudakwashe Kawadza claims that we got his email and contact details at Afri-net wrong. That his mail at Africom is kkawadza@ and not kawadzak@afri-com.net

Using public information from ZOOM  we could not confirm this claim as all mails from afri-com.net follow the pattern SURNAME + (N)AME. So his official mail should be  kawadzak@afri-com.net