Canadian Passport Website Falls For Oldest Privacy Breach On The Web
from the that-one-again? dept
Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user's account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it's been quite some time since we've heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.
Reader Comments (rss)
(Flattened / Threaded)
Embarrassed by Bah-Humbug on Dec 6th, 2007 @ 1:04am
I'm Canadian and I'm embarrassed that we have such shoddy web designing. What I'm not embarrassed about it the fact that I've listened to Aerodynamic by Daft Punk about 6 times now on repeat. It's just as awesome today as it was 6 years ago.
Share the love!
(reply to this comment) (link to this comment)
Nothing is Private by Max Powers on Dec 6th, 2007 @ 3:38am
I still assume that anything that I have put online is at risk of hacking. Checking my credit reports, bank accounts, credit card accounts, social security information and other items has become a regular routine of mine.
This is just another example of why I do it.
(reply to this comment) (link to this comment)
What? by Jim on Dec 6th, 2007 @ 6:10am
"her or she could see the account info of that other issue associated with the new number."
"her or she"?
Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."
(reply to this comment) (link to this comment)
Passport Canada website by Harry on Dec 6th, 2007 @ 6:39am
This news article was on the CBC a few nights ago. The guy who discovered the security flaw said that he probably wasn't the first, so who knows how many records were compromised? Given the many government rules and regulations and standards, as well as all the money it spends, one would expect a near bulletproof website. There were lots of theatrics about it in the House of Commons. You can bet a few heads will roll!
(reply to this comment) (link to this comment)
by Anonymous Coward on Dec 6th, 2007 @ 7:20am
her or she could see the account info
"he or she?"
most web app designers quickly realized to plug that hole
"quickly reacted?"
Every error reduces your credibility and lowers everyone's expectations. For the love of all that's good in the world, have someone proofread your posts!
(reply to this comment) (link to this comment)
Re: by dorpass on Dec 6th, 2007 @ 7:48am
If you want something with less typos, read a dictionary.
(reply to this comment) (link to this comment)
Oh Canada by Just Me on Dec 6th, 2007 @ 8:26am
I am Canadian (Molsen anyone?) and I have to say that I'm not overly comfortable with the Canadian Gov's IT work before this.
They have an Epass system where you enter in all of your private info (SIN etc) to access your tax info and such online. Great site, but a little while ago I went to log in and the cert had expired...Months before!!
These are the people we entrust with protecting our freedoms>? They can't even protect a web site!
I emailed them to let them know the cert had expired...never heard back and haven't been back to the site since.
(reply to this comment) (link to this comment)
Form is always more important than function by Anonymous Coward on Dec 6th, 2007 @ 4:19pm
The way a thing is worded is more important than the content. My anal retentive English teachers drummed that into me all through school. I failed a lot of classes knowing the subject but not the grammar (read: the importance of protocol). Never forget. Most people are dumb as nails ( not to impinge the intelligence of English majors, of course, who we all know are smart people) It is far easier to focus on form then function !
(reply to this comment) (link to this comment)
by R. Wing on Dec 7th, 2007 @ 2:07am
What? by Jim on Dec 6th, 2007 @ 6:10am
"her or she could see the account info of that other issue associated with the new number."
"her or she"?
Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."
----------------------------------------------
who the hell cares how he spelt it. you understood it. you got it. you didn't even comment on the story just the spelling. is that what you do online now a days? spell check everyones articles?
(reply to this comment) (link to this comment)
Re: Oh Canada by Anonymous Coward on Dec 7th, 2007 @ 10:13am
Impostor! You're not Canadian! If you were you would know it's Molson not Molsen! Err... unless of course you really are Canadian and were well into a 2-4 of the stuff when you posted...
(reply to this comment) (link to this comment)
Add Your Comment