back to article Privacy breach nuked in Canadian passport site

Red-faced Canadian passport officials say they've closed a privacy breach on their website that leaked the personal information of applicants, including their driver's license numbers, birth dates - even whether they owned a gun. The hole was discovered last week by an Ontario man who found a simple way to cause the Passport …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    Not the only problem

    I haven't checked if they fixed this issue yet, but I highly doubt it. It'll take at least few months to get this fixed.

    This is also not the first issue with the site. about half year ago they had major xss issues (probably still do) where urls would be passed within urls without checking, so simple change to the address would serve up any website under https://...gc.ca/ and the govt's own SSL cert. I've tried notifying them through their feedback form, it was broken. I tried phoning in, the hold queue was about 40 minutes. I tried emailing, the appropriate email addresses that were posted were not working - beautiful, isn't it?

  2. David Harper

    Almost as careless as HMRC

    Substitute "UK Identity and Passport Service" for "Passport Canada" and you have another good reason for refusing to cooperate with the ID card scheme.

  3. Anonymous Coward
    Pirate

    Didn't they have this

    same problem a while back with a phone surveillance company. I can't remember the name of them but they somehow snooped on a phone for you and put the data online and by changing the URL you could look at others data as well.Of course you need authentication at every request otherwise you could write a script and clean them out (mirror their database). By now every ID thief in Canada has a copy.

  4. Mike Arnautov

    Another worrying trend...

    On a closely related issue... Nationwide have decided to ask their on-line users to assist with improving security by asking them to volunteer some personal information, which can then be requested for additional verification. They ask one to supply answers to 5 out of 20 questions such as "what is your favourite song" or "what is/was the name of your first pet animal" etc... Sounds reasonable at the first blink, until you consider what will happen if this method gets adopted by other institutions. If one answers truthfully, a set of non-alterable information gets spread wider and wider and if it leaks from somewhere, what is one to do? One can, of course, invent different (and hence false) responses in every case, but the only way to remember the resulting net of one's lies is to write them down -- the last thing one is supposed to do, of course.

    In a way, it is the same problem as with the wretched belief in biometrics. Authorities fail to appreciate that once un-alterable information is compromised, in whatever way, there is no way out.

  5. sidney cook
    IT Angle

    That hack has been

    Around for a long time. You go to an interesting web site and look at the address bar and notice that it is four or five dep in to the site. So you start removing each link from the address to see where it takes you. And allot of sites just let you in to the previous area with no problem.

    I have had some interesting finds on .gov and .edu sites and the other sites I like to go to.

  6. Anonymous Coward
    Flame

    Bank security challenge/response

    On a closely related issue... Nationwide have decided to ask their on-line users to assist with improving security by asking them to volunteer some personal information, which can then be requested for additional verification. They ask one to supply answers to 5 out of 20 questions such as "what is your favourite song" or "what is/was the name of your first pet animal" etc...

    I had an account with a bank which recently imposed a new set of challenge/response questions. There were a large set of questions to choose from, with 5 required. But I couldn't find 5 that applied to me, because most of them were "favorite author" or "favorite book" or something like that. These are supposed to be things that never change, but "favorites" can change anytime. The only thing I could do (besides complaining, which I did) was to select 5 favorites, with totally obvious but nonintuitive answers. My favorite book was "book" and so on.

    They did eventually change their system, but now they've been bought out by another bank (after failing to maintain profitability).

  7. Wolven
    Flame

    From what I can see

    It's not fixed yet. I'm just thankful my information doesn't seem to be up there, but I suspect when it comes time to renew my passport it'll still be a problem.

    Really when has any government from any country actually 'wasted' any time on actually doing something intelligent like securing it's public IT infrastructure?

  8. Bernard Romanycia
    Go

    Passport Canada

    The former Liberal government in Canada created this passport mess and had a pretty wide open (feed the world) immigration policy. The current minority Conservative government are on damage control but haven't had the type of problems that France , for example, has been experiencing what with all their immigrants (ah, excuse me) new citizens rioting in the streets. The Conservatives have introduced some new identity legislation but it's going to take some time to implement the changes. Hopefully before another Terrorist attack. A stronger case for BIOmetric passports in the NEW WORLD ORDER police state seems to be just around the corner and coming soon to a border near you. Origin of birth should soon become a helpful defining statistic in assisting those in authority define/choose Friend or Foe status. Your Freedom is worth defending.

    Happy Holidays.

  9. Jeremy
    Alert

    Since the article didn't explicitly say...

    Please don't tell me that all this required was changing the ID on the query string? Jesus F***ing Christ...........

    Whether it was that or something else, I don't know which is worse - that someone made an error that you wouldn't expect to see from a school kid, or that 'Passport Canada' didn't notice...

  10. John Macintyre
    Flame

    bank security

    I'm with a great online bank that as far as I'm concerned is so far behind with the times it's login page (Asking for all details) is still on a single page and is has freetext textfields, thus any muppet with a key logger can break it. Considering HSBC got such a big rap about their security, I was surprised that before they got the rap this bank was still using worse login security and maintains doing so today

  11. Steve Browne
    Flame

    Politicians are too bullish with the upside

    I dont think anyone here could doubt the benefits gained from well implemented computer systems in delivering consistent, constantly available services to people when they are needed.

    Governments only ever consider this aspect of them.

    Whereas we all know that there is a serious effort expended in developing these applications, running them and making sure they are fixed when problems occur.

    This is the aspect that is ignored by governments, that to create the systems they want costs large sums of money. The companies bidding for this work, should that be company ?, has a historic record of failure, for under specifying function and resource requirements, to make the bid more palatable to the chancellor. They just wait for a change request, and then hit for the rest of the money that should have been committed in the first place.

    When the government finds it embarrassing to admit they have been duped again they try to bury it or try to get along with a crippled application which is not fit for purpose.

    I have been fiddling directly with urls for 13 years now, since I first started using the web. I would have thought that everyone would have known that people can type their own addresses into the address bar and see where it leads. There was a chat site that you could easily get into rooms unnoticed, and watch what people were saying to each other, the room list was obtained by causing an error, so it sent a large file, which mixed in with all manner of strange characters contained the private rooms that had been created. Just select a room name, type it into the url and you were in, easy.

    To find a government site, even a foreign government, exposing personal information to anyone using this technique is absolutely disgraceful. They demand personal information, under threat of prison if not provided, and then go tell anyone who cares to look all about you. It really is time for data protection officers to have proper budgets and to start prosecuting people, including systems suppliers, for providing insecure systems which do not protect personal data.

  12. Anonymous Coward
    Black Helicopters

    Now.....

    Someone mentioned Biometrics......

    They always argue that the odss are ????????????:1 of someone having identical fingerprints etc.; so they must be unique. As I see it basic maths dictate that everyone must be checked in order to guarantee that it is unique because there is also a chance that they are all identical.

    Very sloppy and wide open arguement follows but the odds of winning the european lottery are said to be in excess of 70,000,000:1 but I seem to recall that at one time something like 8 individuals had the jackpot numbers.

    Strange things odds!

    Would anyone seriously like to look at the logic and tell me I am wrong so that we can guarantee that no one else shares my fingerprints, DNA or Iris scan before I get sent to prison for something I didn't do.

  13. Jon Press

    @Mike Arnautov, AC

    Nationwide - quite!

    I've just cancelled an account application because of these 5 "security" questions which sprang up after I'd already provided 3 pieces of personal information to get the application off the ground.

    Security through inconvenience is just as mythical as security through obscurity. Of course, as long as we have newspapers clamouring for everyone on Child Benefit to change their bank account numbers I suppose the banks are under some pressure to find ways of calming their customers down and adding pointlessly arbitrary extra "checks" may be a way of doing it.

    But as long as governments and financial institutions just can't get their heads around basic IT security, the rule should be to give them as little information as possible, not volunteer more....

  14. Tom Chiverton Silver badge

    Anonymous Coward

    You want to google the 'birthday problem'.

    When there are 60 million people to choose from, even fairly unlikely clashes are fairly likely to happen, and you can't exactly choose to use a different finger print...

  15. Anonymous Coward
    Anonymous Coward

    @Mike Arnautov, AC

    I recently applied for online access to one of my accounts with Abbey.

    Security Questions seemed reasobale enough at first glance, usual stuff like mother's maiden name, place of birth etc.

    Entered monther's maiden name - ERROR, must be at least 8 characters.

    Same for all the others.

    Result: I had to lie and write my answers down.

    Perhaps Crapita wrote their system.

  16. Anonymous Coward
    Flame

    Unforgivable ...

    I am neither shocked nor surprised at this colossal screw up by my Government's Bureaucracy.

    @Jeremy - the articles say it was as easy as altering the URL.

    "an Ontario man applying online for a passport last Thursday discovered he could access personal information - such as social insurance numbers, birthdates and driver's licence numbers - of other applicants by altering one character in the Internet address displayed by his Web browser."[1] - URL manipulation

    "Mr. Lengelle added that the personal information of applicants is never stored online."[1] - is either totally clueless, calling the report a lie, or both.

    ""When a passport has been issued, the information is deleted," said Mr. Lengelle."[4] - only online for a few weeks then. Well that makes it okay then, doesn't it.

    "Minister Maxime Bernier told the House of Commons that he spoke with Passport Canada CEO Gérard Cossette and was assured that the security problem had been fixed."[1] - perhaps that one particular problem has been fixed/patched/bypassed.

    "'The Web site of Passport Canada is now one of the most secure,' Mr. Bernier told the House."[4] - Unbelievable.

    As a security professional with extensive security testing experience, I have some observations. Basically the error is inexcusable and strongly suggests that there are other problems.

    1. This kind of mistake was kindergarten over 10 years ago!

    2. The site was launched in 2005 [1]. Such an error was inexcusable long before then. Why did it take almost three years to find this?

    2. If they can't get a simple navigation/access control issue right, what about issues that emerged after 1996! Cross-site scripting? SQL injection?

    4. In my experience, a problem of this type suggests those who implemented the site were (possibly grossly) negligent and totally clueless about security. This error should have been caught in basic testing. A penetration test should have caught it. Clearly testing was neglected.

    5. Fixing security problems of this sort are often more difficult than a quick fix will allow. I've seen quick fixes that can be easily bypassed. I've also seen real fixes that can take months. Often this is a function of the framework used. Possibly they can fix this fast, but I wouldn't bet on it.

    6. The Government of Canada should launch a broad investigation to make sure this is not isolated. They should start with an inventory of all their online services prioritized by the sensitivity of data they process/transmit. They should sample by risk and by vendor/developer. And like in a real world infrastructure failure, they should carefully scrutinize anything the developers and maintainers touched.

    Other articles/reference:

    [1] http://www.theglobeandmail.com/servlet/story/RTGAM.20071205.wpassport05/BNStory/National/home

    [2] http://ca.today.reuters.com/news/newsArticle.aspx?type=domesticNews&storyID=2007-12-04T220025Z_01_N04527003_RTRIDST_0_CANADA-PASSPORTS-COL.XML

    [3] http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStory/National/home

    [4] http://www.nationalpost.com/news/story.html?id=144179

    By the way, I wonder when the third shoe drops … who’s going to have the next Commonwealth IT Security screw up.

    Perhaps the Discovery Channel could do another reality show with the flavour of “Canada’s Worst Driver”, “Canada’s Worst HandyMan”. Welcome, “Canada’s worst web developer!” I’d be up to be judge!

    Thankfully, when renewed after 2005 I did it offline!

  17. Anonymous Coward
    Boffin

    Web Security 101 ...

    Every web developer should be forced to write on a real blackboard 1000 times ....

    1. Do not trust any information from the browser.

    2. Ensure your application/sever securely maintains state.

    3. Just because I can't see how to break it, doesn't mean someone else can't.

    4. If I don't know what OWASP is or I don't understand OWASP practices, or if I am in doubt, get qualified help.

  18. Andy Gates
    Dead Vulture

    Cockup, not conspiracy

    The green-ink paranoid responses to this news can be dismissed pretty easily: this is a clear and shiny newbie error. As someone who once built a public site with the "Little Bobby Tables" vulnerability, I can speak on newbie errors, I think :)

    Thing is, it takes time and testing to pick up this stuff. You can say "hire boffins" all you like: if you've got your internal dev team, and this isn't their specialty, they may cock up and only testing will catch that. And time and testing are the first things that project managers cut out of any project.

    Of course, this highlights the risks inherent in One Database Of Everything; when (not if) someone cocks up, only the data in that database is exposed.

  19. RW
    Gates Horns

    Online IT Stupidity Nothing New in Ottawa

    Another online IT cockup in Ottawa:

    Canada conducted its regular quinquennial (or decennial) census a couple of years ago. For the first time, they set up a site for (optional) online submission of your responses to the census questionnaire.

    I went to the website and was confronted with a message "You must have Java version <something or other> enabled", the version being very precisely defined. In the words of the profit, fuck that. I keep Java turned off, that particular version of Java may not even be available for my preferred combnation of browser & OS, and I don't install new software unless there's a compelling reason to do so.

    Lowering Statistics Canada's census processing costs is not a compelling reason. I sent in the paper form instead.

    One presumes Statistics Canada used Java to implement detailed client-side data validation instead of using Javascript or server-side validation, an implementation strategy of dubious merit. It's always harder to make sure client-side stuff works correctly in all cases, being highly dependent on the exact combination of browser, OS, and settings.

    You have to wonder how many other potential users of their online systerm joined me in walking away from the online submission site, in the face of its demand for a specific Java version? Considering that Joe & Jane Sixpack probably don't even know what Java is, much less how to upgrade it, I suspect that the participation rate was a lot lower than they hoped for and the costs of developing the online site were not recovered.

    Sometimes I think the Ottawa winter climate congeals the ability to think clearly...

  20. Anonymous Coward
    Dead Vulture

    Exactly ....

    @Andy - no conspiracy just a cockup, a colossal and multi-level one at that

    I have sympathy for newbies and newbie errors. Everyone has to learn.

    I have no sympathy for a organization like Passport Canada with the resources available to them which has failed on so many levels. At the very least they've failed a minimum of two or three of the following:

    - establish or hire competent developers or vendors

    - set proper requirements

    - manage the development of their system

    - adequately test the system at launch or changes

    - audit of their development processes

    - enforce government wide security and privacy requirements

    - conduct ongoing security testing

    Sadly it's bush league. Worse, it's a very big league.

  21. Tim J

    If you've got nothing to hide...

    ...you've got nothing to worry about.

  22. david Silver badge

    To many private questions? It's "wishful security"

    See the "wish it was two factor" security article on this programming site:

    http://worsethanfailure.com/Articles/WishItWas-TwoFactor-.aspx

This topic is closed for new posts.