Canadian Passport Website Falls For Oldest Privacy Breach On The Web

from the that-one-again? dept

Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user's account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it's been quite some time since we've heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Bah-Humbug, Dec 6th, 2007 @ 1:04am

    Embarrassed

    I'm Canadian and I'm embarrassed that we have such shoddy web designing. What I'm not embarrassed about it the fact that I've listened to Aerodynamic by Daft Punk about 6 times now on repeat. It's just as awesome today as it was 6 years ago.

    Share the love!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Max Powers, Dec 6th, 2007 @ 3:38am

    Nothing is Private

    I still assume that anything that I have put online is at risk of hacking. Checking my credit reports, bank accounts, credit card accounts, social security information and other items has become a regular routine of mine.

    This is just another example of why I do it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Jim, Dec 6th, 2007 @ 6:10am

    What?

    "her or she could see the account info of that other issue associated with the new number."

    "her or she"?

    Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Harry, Dec 6th, 2007 @ 6:39am

    Passport Canada website

    This news article was on the CBC a few nights ago. The guy who discovered the security flaw said that he probably wasn't the first, so who knows how many records were compromised? Given the many government rules and regulations and standards, as well as all the money it spends, one would expect a near bulletproof website. There were lots of theatrics about it in the House of Commons. You can bet a few heads will roll!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 6th, 2007 @ 7:20am

    her or she could see the account info
    "he or she?"

    most web app designers quickly realized to plug that hole
    "quickly reacted?"

    Every error reduces your credibility and lowers everyone's expectations. For the love of all that's good in the world, have someone proofread your posts!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Just Me, Dec 6th, 2007 @ 8:26am

    Oh Canada

    I am Canadian (Molsen anyone?) and I have to say that I'm not overly comfortable with the Canadian Gov's IT work before this.
    They have an Epass system where you enter in all of your private info (SIN etc) to access your tax info and such online. Great site, but a little while ago I went to log in and the cert had expired...Months before!!
    These are the people we entrust with protecting our freedoms>? They can't even protect a web site!

    I emailed them to let them know the cert had expired...never heard back and haven't been back to the site since.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Dec 7th, 2007 @ 10:13am

      Re: Oh Canada

      Impostor! You're not Canadian! If you were you would know it's Molson not Molsen! Err... unless of course you really are Canadian and were well into a 2-4 of the stuff when you posted...

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Dec 6th, 2007 @ 4:19pm

    Form is always more important than function

    The way a thing is worded is more important than the content. My anal retentive English teachers drummed that into me all through school. I failed a lot of classes knowing the subject but not the grammar (read: the importance of protocol). Never forget. Most people are dumb as nails ( not to impinge the intelligence of English majors, of course, who we all know are smart people) It is far easier to focus on form then function !

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    R. Wing, Dec 7th, 2007 @ 2:07am

    What? by Jim on Dec 6th, 2007 @ 6:10am

    "her or she could see the account info of that other issue associated with the new number."

    "her or she"?

    Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."


    ----------------------------------------------

    who the hell cares how he spelt it. you understood it. you got it. you didn't even comment on the story just the spelling. is that what you do online now a days? spell check everyones articles?

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This