A serious flaw in New South Wales’ electronic voting service – iVote – could have seen votes changed, experts say.

iVote began in 2011 as an aid for rural residents and vision-impaired voters, but it has grown. This year, iVote has already taken about 66,000 votes in the upcoming NSW election.

But there is a big problem with the analytics service used behind the scenes.

While the voting website uses a secure SSL configuration, JavaScript from an external server that tracks site visitors could function as a back door.

The flaw was found by researcher Vanessa Teague from the Department of Computing and Information Systems at the University of Melbourne.

She says the tracker leaves the iVote site open to a range of attacks, including changing how a person votes.

The NSW Government agency that run iVote disabled the analytics code when they were informed of the flaw, but polls had been open for several days and many votes could have been compromised.

The iVote system allows users to change their vote any time up until the actual election day.

The NSW Electoral Commission has not made any detailed comments, other than to say that “the verification process is not telling us any faults are in the system”.

Authorities are scrambling to patch potential gaps just days after the iVote system was taken offline and updated to include two parties that were left off the ballot form.