New flaw found in federal systems
A serious security flaw in Federal Government financial systems has left Australians' private tax records unsecured.
It is just the latest in a long-running series of big security bungles by the government.
The latest flaw again throws doubt on the ability to store information of a government that is constantly looking to take more data.
An expert spotted the IT security issue in the way that Australian Taxation Office communicates with the Department of Human Services’ myGov system.
Sydney-based IT professional JP Liew found it when he went to log into myGov to see his online tax records, and discovered he was looking at his wife's.
Mr Liew says he downloaded a PDF letter from the tax office from a link within the myGov mailbox.
He found this created a cookie that logs the user into ato.gov.au.
The cookies authenticate the “single sign-on” (SSO) process, where the user can access multiple myGov services but only has to login once.
But clicking on the PDF link did not open a browser page at ato.gov.au, so the page before was never closed.
Because the cookie did not expire, the next user to log in to myGov and click on the ATO link was able to see the previous user's records.
“I've just spent about an hour on the phone to four myGov technical support people to explain to them that there is a serious bug on the myGov website that will expose another person's ATO information if they share the same computer and browser,” Mr Liew told Fairfax Media.
“[It] is very common [to share computers] in workplaces and public libraries however none of them seems to be able to understand what I was trying to say.”
The ATO says it has fixed the problem and moved to reduce concerns about it.
“This issue does not occur on all types of devices,” an ATO spokesperson told reporters.
“We continue to investigate to ensure no other errors are occurring.”
Analysts say it is possible that the problem is repeated in other online government services.
Security researcher Nik Cubrilovic says that the source of the vulnerability was in the very architecture of myGov’s SSO process.
“This is an architectural flaw—there are better methods for having SSO where logging out once at myGov would also log you out of any other site,” Mr Cubrilovic told Fairfax.
“I'm ... not comfortable with the blame shifting [from DHS to ATO]. It suggests that the culture that led to this bug and previous bugs is still prevalent at the department and that more issues are a matter of when rather than if.”
Mr Cubrilovic spotted a separate security flaw with myGov last year, which also related to cookies.
He says that out of 12 security issues with the myGov portal he showed the government last year, only half had been fixed.
“In my original report there were recommendations to shorten the time that cookies are valid, to change the cookie type so that it couldn't be stolen and to unset them properly, but none of these were taken up,” he said.
One key hurdle he pointed out – and Mr Liew said he faced – was the fact that there is no dedicated channel with either the ATO or DHS for users to report such flaws.
This problem is what forced Mr Liew to reveal what he found on YouTube, while Mr Cubrilovic only got a response when he contacted a senior IT staff member directly via Twitter.