Canadian Passport Website Falls For Oldest Privacy Breach On The Web

from the that-one-again? dept

Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user’s account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it’s been quite some time since we’ve heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It’s never nice to hear about a security flaw (especially on a gov’t website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Canadian Passport Website Falls For Oldest Privacy Breach On The Web”

Subscribe: RSS Leave a comment
Harry says:

Passport Canada website

This news article was on the CBC a few nights ago. The guy who discovered the security flaw said that he probably wasn’t the first, so who knows how many records were compromised? Given the many government rules and regulations and standards, as well as all the money it spends, one would expect a near bulletproof website. There were lots of theatrics about it in the House of Commons. You can bet a few heads will roll!

Just Me says:

Oh Canada

I am Canadian (Molsen anyone?) and I have to say that I’m not overly comfortable with the Canadian Gov’s IT work before this.
They have an Epass system where you enter in all of your private info (SIN etc) to access your tax info and such online. Great site, but a little while ago I went to log in and the cert had expired…Months before!!
These are the people we entrust with protecting our freedoms>? They can’t even protect a web site!

I emailed them to let them know the cert had expired…never heard back and haven’t been back to the site since.

Anonymous Coward says:

Form is always more important than function

The way a thing is worded is more important than the content. My anal retentive English teachers drummed that into me all through school. I failed a lot of classes knowing the subject but not the grammar (read: the importance of protocol). Never forget. Most people are dumb as nails ( not to impinge the intelligence of English majors, of course, who we all know are smart people) It is far easier to focus on form then function !

R. Wing says:

What? by Jim on Dec 6th, 2007 @ 6:10am

“her or she could see the account info of that other issue associated with the new number.”

“her or she”?

Aside from that: I know what you’re trying to say here but this is really very poorly worded. Maybe: “he or she could see the account info of other users.”


who the hell cares how he spelt it. you understood it. you got it. you didn’t even comment on the story just the spelling. is that what you do online now a days? spell check everyones articles?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...