Anonyvoter: A forensic
analysis of democratic capture.
In 2020, the UK Labour Party procured a voting platform without tender, without audit, and without any of the security controls that would be considered basic for a system determining who gets to run the country.
Security Assessment of the Anonyvoter Voting Platform
Source Code Analysis and Formal Verification, Alex Bedford, May 2026
Critical Vulnerabilities
All vulnerabilities confirmed through source code analysis and formal testing.
Plaintext Password Fallback
CheckPassword() compares the stored value against the plaintext input before checking the hash. Anyone with database write access can insert a known plaintext string for a target account, permanent login access, no indication of compromise.
No Brute-Force Protection
Login.aspx has no rate limiting, no account lockout, no CAPTCHA, and no failed-attempt counter. Unlimited password guesses can be submitted against any account without throttling or detection.
Open Redirect on Login
The redirect query parameter is accepted without validation. A voter receiving a link such as anonyvoter.com/Login.aspx?redirect=http://phishing.site will authenticate on a genuine page and be silently forwarded to an attacker-controlled one.
No CSRF Protection
No anti-forgery token is issued or validated on any page. The ballot wipe-and-reissue flow executes inside a GET request. An img tag on a page the organiser visits could reset an entire poll.
Broken Password Hashing
Unsalted SHA-256 with binary-to-ASCII cast. Half the hash space collapsed. Rainbow tables apply directly. The stored hash cannot be verified by any standard tool.
Test Mode Redirects All Email to Vendor
When the live application setting is 'N', every outgoing email, including ballot links for real voters, is redirected to the vendor's personal address. The vendor receives all ballot codes for every active poll.
Modulo Bias in Ballot Code Generation
GetNonZeroBytes excludes zero, producing values 1-255. The alphabet is 62 characters. The first 7 characters are approximately 25% more likely per position than the remainder.
Fire-and-Forget Email Dispatch
Ballot emails are dispatched in a Task.Run with an empty catch block. No dead-letter queue, no automatic retry, no alerting. A voter whose ballot email is silently dropped has no visible recourse.
Structural Deficiencies
Single Vendor Controls All Infrastructure
Henson IT Solutions controls hosting, database, email, and domain. The vendor has database admin access. No contractual audit rights or independent oversight exists.
No Audit Logging
No server-side log records changes to the voter list, poll start/stop events, candidate list modifications, or results CSV downloads. A malicious submission is indistinguishable from a legitimate one.
Live Poll Modification Without Version Control
The organiser can modify the poll title, candidate list, and vote type while the poll is in progress. No version lock, no change log, no voter notification.
Per-Voter Data Visible During Live Poll
The organiser dashboard displays each voter's email, whether they have voted, their ballot code, and whether they were added after the poll started, in real time.
No Encryption at Rest
The only cryptographic operation in the codebase is password hashing, which is itself flawed. Every sensitive value, ballot codes, voter identities, cast votes, is stored as plaintext SQL columns.
Untestable Architecture
Utils.cs is a single file of approximately 4,900 lines containing 15 classes. No dependency injection, no interfaces, no unit tests. Changes cannot be verified against prior behavior.
Documented Incidents
Selections that were contested. Outcomes that were compromised.
Ilford South / Sam Tarry deselected
Tarry reported winning 57% of in-person votes but only 35% of Anonyvoter votes, a 22-point discrepancy. No factor identified that would account for it. Tarry filed an official complaint alleging vote rigging.
Merthyr Tydfil / Beth Winter deselected
Winter won most in-person and postal votes before Anonyvoter was applied. Pressed the Welsh Labour executive for an independent inquiry.
Hamilton and Clyde Valley / Imogen Walker selected
Wife of Morgan McSweeney, founder of Labour Together. Won 62-55 after losing hustings but winning online votes decisively.
Croydon East / Police investigation
71 members' addresses altered. 26 phone numbers changed. 40 new email addresses assigned. Four individuals charged under the Computer Misuse Act. Mark Henson, co-creator of Anonyvoter, was serving as interim treasurer of the Croydon East CLP at the time.
The Question
"The correct position is not that integrity cannot be verified. It is that there are no grounds to assume it was present."
Security Assessment of the Anonyvoter Voting Platform, Alex Bedford, May 2026