Monday, February 04, 2008
Blame Canada: passport breach is "that bloody simple"
Blame Canada: passport breach is "that bloody simple"
The Globe and Mail reports that a security flaw in Passport Canada's website rewards a trivial level of effort with enough data to steal the identity of any individual applying for a Canadian passport. The story does not describe the flaw in technical terms, but the layman's description sketches one of the all-time classic flaws in bad web design. When a user applies for a passport, he or she can see a user ID in the URL. Simply changing a character in the user ID reveals all the records of the next user. This "hack" is so simple that an ordinary passport applicant using the site discovered the flaw by accident.
A better approach would have been to design the site without making the user IDs a visible part of the URLs. Same for any kind of database ID; we once wrote a story about a music-related e-commerce site that lost a bundle of money when a similar trick was used on product IDs showing up in URLs. The attacker changed the price of everything on the site to one cent (LiveSecurity subscribers can review the tale in "Dustin and the Price of Glory").
One way to hide such IDs: Pass them through a hashing algorithm so that what shows in the URL is not the literal ID. But more importantly -- because sooner or later, some user will try to twiddle digits -- the site should have an authentication mechanism built in, preventing user 123456 from "deciding" that she is user 123457.
Custom web applications now perch shamefully at the top of the list of hacker targets. But web apps have been popular targets for at least three or four years now, and any interested admin can find a plethora of help, tips, best practices, and configuration advice online. For example:
OWASP Application Security FAQ
SQL Injection: Modes of Attack, Defence, and Why It Matters
If your company's web server uses Microsoft's IIS, try the IIS Lockdown tool
The worst part of the Canadian breach? After the problem was spotted, fixed, and the site was brought back up, the Globe reports, "a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts." The site wasn't really fixed. No wonder one of the Canadian users of the site groused, "It's supposed to use high-tech security. You'd think it wouldn't be that bloody simple." Is this another example of security falling in the cracks between the IT group and the web dev team? Before you blame Canada, better check for similar problems inside the bureaucracy you call home. -- Scott Pinzon, CISSP
The Globe and Mail reports that a security flaw in Passport Canada's website rewards a trivial level of effort with enough data to steal the identity of any individual applying for a Canadian passport. The story does not describe the flaw in technical terms, but the layman's description sketches one of the all-time classic flaws in bad web design. When a user applies for a passport, he or she can see a user ID in the URL. Simply changing a character in the user ID reveals all the records of the next user. This "hack" is so simple that an ordinary passport applicant using the site discovered the flaw by accident.
A better approach would have been to design the site without making the user IDs a visible part of the URLs. Same for any kind of database ID; we once wrote a story about a music-related e-commerce site that lost a bundle of money when a similar trick was used on product IDs showing up in URLs. The attacker changed the price of everything on the site to one cent (LiveSecurity subscribers can review the tale in "Dustin and the Price of Glory").
One way to hide such IDs: Pass them through a hashing algorithm so that what shows in the URL is not the literal ID. But more importantly -- because sooner or later, some user will try to twiddle digits -- the site should have an authentication mechanism built in, preventing user 123456 from "deciding" that she is user 123457.
Custom web applications now perch shamefully at the top of the list of hacker targets. But web apps have been popular targets for at least three or four years now, and any interested admin can find a plethora of help, tips, best practices, and configuration advice online. For example:
OWASP Application Security FAQ
SQL Injection: Modes of Attack, Defence, and Why It Matters
If your company's web server uses Microsoft's IIS, try the IIS Lockdown tool
The worst part of the Canadian breach? After the problem was spotted, fixed, and the site was brought back up, the Globe reports, "a few keystrokes sufficed to reveal some of the personal information of passport applicants, including names, addresses and numbers for references and emergency contacts." The site wasn't really fixed. No wonder one of the Canadian users of the site groused, "It's supposed to use high-tech security. You'd think it wouldn't be that bloody simple." Is this another example of security falling in the cracks between the IT group and the web dev team? Before you blame Canada, better check for similar problems inside the bureaucracy you call home. -- Scott Pinzon, CISSP
# posted by raveneye @ 6:42 PM 
