During the show last Saturday, watched by some 3.7 million viewers, part of the voting system was put out of action, and later it was announced that all earlier votes in that part of the programme had been erased.
New for this year's qualification in the Swedish song contest ‘Melodifestivalen' is a smartphone app in which viewers make ‘heartvotes' during the performance of their chosen artist. Every user is able to use this system to make up to five such votes for each song.
“We have had 738,000 downloads of this app and 525,000 users,” Christel Tholse Willers, head manager of the show, told SCMagazineUK.com.
The app had been used during the five pre-qualification rounds without any major problems. It is credited with achieving a 400 percent increase in voting rise over the previous year. Potentially, more than ten million votes could had been made with the app during the final. But in the final, when the very popular Jon Henrik Fjällgren performed a traditional Sami song in the original language for this northern indigenous people, Willers' crew noticed an extreme load on the voting servers for the app.
“We are investigating an attack. The servers are configured for a very heavy load, but this was abnormal and extreme,” she says.
Since the reliability of the system was compromised and some servers went down during the peak load, the voting system was taken out of service. Viewers were informed by the show hosts and all earlier votes made using the app were erased.
It is not known how the outcome of the contest may be affected, but the winner was so far ahead of the others that it probably didn't matter. Just over 1.5 million people voted via other means such as SMS and phone calls.
The Swedish security company Truesec analysed the app prior to the final and had said that it wouldn't be a problem to reverse engineer it to create fake votes. But due to security measures that had been implemented it was considered that it would not be easy to achieve very high numbers of false votes.
“But it is not hard to figure out which servers are used by analysing the app traffic on networks, and a potential risk is that the servers are attacked via a traditional overload method,” Marcus Murray, security team manager at Truesec, tells SCMagazineUK.com.
The app's security hardening is made with a subscription via Google+/Facebook, or the mobile phone number. The user must log in to be able to vote.
An external ten-man team developed the app at a cost of some £100,000. There has been criticism from the general public that the app system hadn't been fully tested when it was put into service. Several experts were reported to have agree that the system clearly wasn't correctly configured and built to cope with the threats it faced.