Canadian Passport Website Falls For Oldest Privacy Breach On The Web
from the that-one-again? dept
Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user’s account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it’s been quite some time since we’ve heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It’s never nice to hear about a security flaw (especially on a gov’t website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.
Filed Under: breach, canada, passports, security, url, websites
Comments on “Canadian Passport Website Falls For Oldest Privacy Breach On The Web”
Embarrassed
I’m Canadian and I’m embarrassed that we have such shoddy web designing. What I’m not embarrassed about it the fact that I’ve listened to Aerodynamic by Daft Punk about 6 times now on repeat. It’s just as awesome today as it was 6 years ago.
Share the love!
Nothing is Private
I still assume that anything that I have put online is at risk of hacking. Checking my credit reports, bank accounts, credit card accounts, social security information and other items has become a regular routine of mine.
This is just another example of why I do it.
What?
“her or she could see the account info of that other issue associated with the new number.”
“her or she”?
Aside from that: I know what you’re trying to say here but this is really very poorly worded. Maybe: “he or she could see the account info of other users.”
Passport Canada website
This news article was on the CBC a few nights ago. The guy who discovered the security flaw said that he probably wasn’t the first, so who knows how many records were compromised? Given the many government rules and regulations and standards, as well as all the money it spends, one would expect a near bulletproof website. There were lots of theatrics about it in the House of Commons. You can bet a few heads will roll!
her or she could see the account info
“he or she?”
most web app designers quickly realized to plug that hole
“quickly reacted?”
Every error reduces your credibility and lowers everyone’s expectations. For the love of all that’s good in the world, have someone proofread your posts!
Re: Re:
If you want something with less typos, read a dictionary.
Oh Canada
I am Canadian (Molsen anyone?) and I have to say that I’m not overly comfortable with the Canadian Gov’s IT work before this.
They have an Epass system where you enter in all of your private info (SIN etc) to access your tax info and such online. Great site, but a little while ago I went to log in and the cert had expired…Months before!!
These are the people we entrust with protecting our freedoms>? They can’t even protect a web site!
I emailed them to let them know the cert had expired…never heard back and haven’t been back to the site since.
Re: Oh Canada
Impostor! You’re not Canadian! If you were you would know it’s Molson not Molsen! Err… unless of course you really are Canadian and were well into a 2-4 of the stuff when you posted…
Form is always more important than function
The way a thing is worded is more important than the content. My anal retentive English teachers drummed that into me all through school. I failed a lot of classes knowing the subject but not the grammar (read: the importance of protocol). Never forget. Most people are dumb as nails ( not to impinge the intelligence of English majors, of course, who we all know are smart people) It is far easier to focus on form then function !
What? by Jim on Dec 6th, 2007 @ 6:10am
“her or she could see the account info of that other issue associated with the new number.”
“her or she”?
Aside from that: I know what you’re trying to say here but this is really very poorly worded. Maybe: “he or she could see the account info of other users.”
———————————————-
who the hell cares how he spelt it. you understood it. you got it. you didn’t even comment on the story just the spelling. is that what you do online now a days? spell check everyones articles?