Australians can access a range of
government services through the myGov portal, including tax services. Photo: Screenshot
- DHS herding people on to an imperfect system in myGov
- 'They're in denial': MyGov users vent anger
- Cyber thieves target tax time
Experts have raised concerns over the handling of IT security issues by the Australian Taxation Office and the Department of Human Services, which runs the overarching service portal myGov, after a taxpayer who tried to report the issue claimed he was hung up on twice by the agencies' call centre staff.
myGov is a portal which provides single
sign-on (SSO) to access multiple services from linked government
agencies. Photo: YouTube
Sydney IT professional JP Liew recently discovered the flaw when
logging into myGov to access his online tax records, only to discover he
was looking at his wife's.Because clicking on the PDF link didn't actually open a browser page at ato.gov.au and therefore a page was never closed, the cookie did not expire, meaning the next user who logged in to myGov and clicked on a link to ato.gov.au saw the previous user's records.
Security researcher Nik Cubrilovic found gaping holes in the myGov website more than a year ago. Photo: Andrew Meares
"I've just spent about an hour on the phone to
four myGov technical support people to explain to them that there is a
serious bug on the myGov website that will expose another person's ATO
information if they share the same computer and browser," Mr Liew said
in his video."This is very common [to share computers] in workplaces and public libraries however none of them seems to be able to understand what I was trying to say."
Despite the ATO saying this week that it had fixed the problem, Mr Liew was ordered to remove the video from YouTube, with the Tax Office citing security concerns.
DHS has been asked to clarify whether the flaw was present across other government services such as Medicare or Centrelink. Security analyst Ty Miller said this was a "strong possibility". Another analyst, CQR Security founder Phil Kernick, also said it was possible.
An ATO spokesperson did not directly respond when asked how long the flaw had been active for.
However, they said the ATO was aware of "very limited circumstances" where the flaw could have occurred: if the first user didn't sign out of the ATO website (or the session didn't automatically time out) before they logged out of myGov, and if both such users were using the same device and browser.
"This issue does not occur on all types of devices," the spokesperson said.
"We continue to investigate to ensure no other errors are occurring."
A DHS spokesperson said there was "no flaw" in myGov and that the problem lay with the ATO.
Mr Kernick also said the responsibility to delete cookies lay with the services plugging into myGov, and not with myGov itself.
Broader problems
But security researcher Nik Cubrilovic said the cause of the vulnerability was rooted in the architecture of myGov and its SSO process, and the "very basics" of authenticating a user."This is an architectural flaw—there are better methods for having SSO where logging out once at myGov would also log you out of any other site," Mr Cubrilovic said.
"I'm ... not comfortable with the blame shifting [from DHS to ATO]. It suggests that the culture that led to this bug and previous bugs is still prevalent at the department and that more issues are a matter of when rather than if."
The ATO spokesperson said the department "worked with DHS to design its online services in the context of the myGov website".
Mr Cubrilovic last year revealed a separate security flaw with myGov, also relating to cookies, which allowed user accounts to be hijacked.
In a document sent to DHS and seen by Fairfax Media, he outlined no less than 12 security issues with the myGov portal and gave recommendations as to how they could be fixed.
One-and-a-half years later Mr Cubrilovic said some of the recommendations had still not been implemented.
"In my original report there were recommendations to shorten the time that cookies are valid, to change the cookie type so that it couldn't be stolen and to unset them properly, but none of these were taken up," he said.
The flaw uncovered this week could also be replicated remotely—i.e. not necessarily only affecting people using the same computer and browser—if someone gained access to the user's cookie, he said.
Mr Cubrilovic said he was "not 100 per cent confident" in the way the ATO had implemented a fix for the new bug, because there was "still so much that can go wrong".
"A proper fix for this issue would be to re-architect the SSO process," he said.
Difficulties reporting bugs
The most simple of Mr Cubrilovic's recommendations from last year was to have a clear point of contact for users to report website bugs.Mr Liew said he posted a video on YouTube documenting the flaw because attempts to report the bug via myGov and ATO customer service channels had resulted in him being hung up on twice. One staff member even told him to reboot his computer, he said.
In his video Mr Liew described speaking to four separate myGov support staff over an hour, none of whom were able to log the issue and direct it to security. He then rang ATO support, only to be told to contact myGov.
An ATO spokesperson said the department had reviewed its call with Mr Liew and while its staff member had been "professional and courteous at all times", she had "incorrectly referred the user to the myGov hotline".
"We recognise that on this occasion the user received incorrect advice," the spokesperson said, adding that the issue was being addressed via coaching and feedback.
Mr Cubrilovic described the failure to implement a clear channel for reporting bugs as "gross neglect" and said he had experienced similar issues as Mr Liew when trying to alert myGov about security flaws in the past. Action was taken only after he contacted a senior IT staff member directly via Twitter, he said.
A web site designer should never rely on cookies to hold authentication data unless it's merely a id or session reference. The session should be destroyed at the server.
ReplyDeleteBrowsers also should respect inter domain restrictions too, regarding cookies.