I fought the law...

12 Jul 2007

Davey Winder reveals how he took on the government and won, and why incident disclosure is so important to your business...

If you're responsible for any web-based service that holds or processes personal information then take note, because this is important. The UK government got itself into all kinds of trouble when a Channel 4 investigation revealed that the NHS Medical Training Application Service (MTAS) database was seriously compromised: all it took to access data about doctors' sexual preferences and career choices was to change numerical identifiers in the URL. Naturally, this was big news, and the whole MTAS system has now been abandoned. Imagine my surprise then when I found an almost identical security breach within a more sensitive web-accessible database, one with national security implications. Here's how I broke the Online Visa Application security story, got the service shut down and an investigation by the Information Commissioner launched. The moral of this tale is that if a body with the budget and organisation of the UK government can make such mistakes, how confident are you of your security?

It started a year before I became involved, when an Indian citizen called Sanjib Mitra applied for a visa to work in the UK. The Foreign & Commonwealth Office (FCO) has outsourced the online collection of applications (not the whole process, just the form-filling) in various countries to VFS Global, a subsidiary of the Kuoni Travel Group. Mitra was using this system when he encountered a blank screen and his browser refused to go back. Wondering if he could salvage his application data by changing one of the numbers at the end of the complex URL to go back a page, he found that data certainly did appear, but it wasn't his!

Mitra had stumbled across the old "change the URL and access database records" security breach. This system is meant to provide "security by obscurity", the theory being that if you don't know the URL you can't get the data - unless, that is, the system is so insecure you can guess it. Not being a terrorist or identity thief, Mitra emailed VFS Global and received no response, so he contacted the British High Commission in India and received an automated "thanks for your concern". A year later, the breach remained open, which is when I got involved.

I steeled myself to contravene the Computer Misuse Act by hacking the application database (don't try this at home folks) to get the required hands-on evidence, and discovered a breach that made the MTAS affair look insignificant by comparison. Thousands of applicants' data was exposed online, which anyone with a browser could view just by changing numbers in a URL. I accessed six people's applications, taking screenshots as I went - which proved to be hugely important later - that revealed not just names and addresses, spouses and children, employment histories, but also passport numbers and even travel plans. Armed with this evidence and my reputation as IT Security Journalist of the Year, I approached VFS Global and the FCO stating my intention to publish the facts, but not before giving them the chance to fix the problem.

As a member of the National Union of Journalists, I've signed a code of ethics that I take very seriously, under which it's quite wrong to publicly disclose a breach of this nature without doing everything possible to secure it first. If more journalists and "security researchers" were to take an ethical approach to disclosure, even at the expense of forfeiting a more sensational story, perhaps the IT industry would be more inclined to work with us over dealing with such problems. To cut a long story short, it took less than 24 hours, and just a handful of emails, to get this serious breach closed and, once I was happy that was the case, I went public with the story on my Inside Edge blog (you can read the original posting at www.daniweb.com/blogs/entry1466.html).

Pages