19 November 2015

Taxpayer records exposed by serious ATO, myGov security flaw


Australians can access a range of government services through the myGov portal, including tax services. Australians can access a range of government services through the myGov portal, including tax services. Photo: Screenshot
Australians' private tax records were left unsecured thanks to a serious flaw in how the tax office's online services connect with myGov, in the latest of a series of security bungles related to the federal government's online services.

Experts have raised concerns over the handling of IT security issues by the Australian Taxation Office and the Department of Human Services, which runs the overarching service portal myGov, after a taxpayer who tried to report the issue claimed he was hung up on twice by the agencies' call centre staff.

myGov is a portal which provides single sign-on (SSO) to access multiple services from linked government agencies. myGov is a portal which provides single sign-on (SSO) to access multiple services from linked government agencies. Photo: YouTube
 
Sydney IT professional JP Liew recently discovered the flaw when logging into myGov to access his online tax records, only to discover he was looking at his wife's.

In a video obtained exclusively by Fairfax Media, Liew demonstrated how downloading a PDF letter from the tax office by clicking on a link within the myGov mailbox creates a "cookie" which logs the user into ato.gov.au. (In this case, cookies are used to authenticate the "single sign-on" process, or SSO, whereby the user only has to login once with myGov to access multiple linked services, such as tax, Medicare and Centrelink.)


Because clicking on the PDF link didn't actually open a browser page at ato.gov.au and therefore a page was never closed, the cookie did not expire, meaning the next user who logged in to myGov and clicked on a link to ato.gov.au saw the previous user's records.
Security researcher Nik Cubrilovic found gaping holes in the myGov website more than a year ago. Security researcher Nik Cubrilovic found gaping holes in the myGov website more than a year ago. Photo: Andrew Meares
 
"I've just spent about an hour on the phone to four myGov technical support people to explain to them that there is a serious bug on the myGov website that will expose another person's ATO information if they share the same computer and browser," Mr Liew said in his video.

"This is very common [to share computers] in workplaces and public libraries however none of them seems to be able to understand what I was trying to say."

Despite the ATO saying this week that it had fixed the problem, Mr Liew was ordered to remove the video from YouTube, with the Tax Office citing security concerns.

DHS has been asked to clarify whether the flaw was present across other government services such as Medicare or Centrelink. Security analyst Ty Miller said this was a "strong possibility". Another analyst, CQR Security founder Phil Kernick, also said it was possible.

An ATO spokesperson did not directly respond when asked how long the flaw had been active for.

However, they said the ATO was aware of "very limited circumstances" where the flaw could have occurred: if the first user didn't sign out of the ATO website (or the session didn't automatically time out) before they logged out of myGov, and if both such users were using the same device and browser.

"This issue does not occur on all types of devices," the spokesperson said.

"We continue to investigate to ensure no other errors are occurring."

A DHS spokesperson said there was "no flaw" in myGov and that the problem lay with the ATO.
Mr Kernick also said the responsibility to delete cookies lay with the services plugging into myGov, and not with myGov itself.

Broader problems

But security researcher Nik Cubrilovic said the cause of the vulnerability was rooted in the architecture of myGov and its SSO process, and the "very basics" of authenticating a user.

"This is an architectural flaw—there are better methods for having SSO where logging out once at myGov would also log you out of any other site," Mr Cubrilovic said.

"I'm ... not comfortable with the blame shifting [from DHS to ATO]. It suggests that the culture that led to this bug and previous bugs is still prevalent at the department and that more issues are a matter of when rather than if."

The ATO spokesperson said the department "worked with DHS to design its online services in the context of the myGov website".

Mr Cubrilovic last year revealed a separate security flaw with myGov, also relating to cookies, which allowed user accounts to be hijacked.

In a document sent to DHS and seen by Fairfax Media, he outlined no less than 12 security issues with the myGov portal and gave recommendations as to how they could be fixed.

One-and-a-half years later Mr Cubrilovic said some of the recommendations had still not been implemented.
"In my original report there were recommendations to shorten the time that cookies are valid, to change the cookie type so that it couldn't be stolen and to unset them properly, but none of these were taken up," he said.

The flaw uncovered this week could also be replicated remotely—i.e. not necessarily only affecting people using the same computer and browser—if someone gained access to the user's cookie, he said.

Mr Cubrilovic said he was "not 100 per cent confident" in the way the ATO had implemented a fix for the new bug, because there was "still so much that can go wrong".

"A proper fix for this issue would be to re-architect the SSO process," he said.

Difficulties reporting bugs

The most simple of Mr Cubrilovic's recommendations from last year was to have a clear point of contact for users to report website bugs.

Mr Liew said he posted a video on YouTube documenting the flaw because attempts to report the bug via myGov and ATO customer service channels had resulted in him being hung up on twice. One staff member even told him to reboot his computer, he said.

In his video Mr Liew described speaking to four separate myGov support staff over an hour, none of whom were able to log the issue and direct it to security. He then rang ATO support, only to be told to contact myGov.

An ATO spokesperson said the department had reviewed its call with Mr Liew and while its staff member had been "professional and courteous at all times", she had "incorrectly referred the user to the myGov hotline".

"We recognise that on this occasion the user received incorrect advice," the spokesperson said, adding that the issue was being addressed via coaching and feedback.

Mr Cubrilovic described the failure to implement a clear channel for reporting bugs as "gross neglect" and said he had experienced similar issues as Mr Liew when trying to alert myGov about security flaws in the past. Action was taken only after he contacted a senior IT staff member directly via Twitter, he said.
 
smh.com.au 19 November 2015
 
That's what happens when you pay peanuts, you get 'monkeys'.
 
The Australian government outsources cheap unskilled I.T. labour from third world countries, where the IT qualifications are not worth the photocopied paper they're on.

We are aware of many other security flaws in government departments, but approaching them, they treat you as if you are the criminal.

As long as the Australian government persecutes easy targets for 'tax' and lets the real corporate criminals walk free, EVERYTHING is OKAY!

At the end of the day it is the masses (in this case private information leaked) that suffer from an incompetent government.
 
The government also 'forces' users to use the MyGov website.

1 comment:

Anonymous said...

A web site designer should never rely on cookies to hold authentication data unless it's merely a id or session reference. The session should be destroyed at the server.

Browsers also should respect inter domain restrictions too, regarding cookies.