13 August 2007, 13:03

How to design a secure government web service - not

An independent investigation into personal data leaks via UK visa processing web sites developed and managed by an Indian outsource provider has uncovered a catalogue of basic security flaws, together with inadequate monitoring and response processes.

In 2003, Visa facilitation Services (VFS), an India-based subsidiary of Kuoni Travel group, obtained an outsource contract to implement and run a customer facing web service for UK visa applications in India, Nigeria and Russia, the service going live in September 2004. The service collected sensitive personal data from visa applicants via a web form, collated it, and submitted it in batches out of band to the Foreign and Commonwealth Office visa processing agents, UKvisas. As subsequently proved fortunate, the VFS system did not connect to government networks.

In December 2005 a user in India (Mr. Mitra) discovered that he could view the details of other users by simple manipulation of a user ID in the URL of the site. He informed both VFS and the British High Commission but apparently got no effective response. A similar incident occurred in Nigeria in April 2006. The discoverer also informed VFS, who this time responded with assurances that the matter would be attended to. A second Nigeria user reported problems around the same time, finding that applicants' personal details could appear in the wrong application form. This user received only an automated acknowledgement.

Having apparently been offered no satisfactory resolution, in May 2007 Mitra both went public on a blog and reported the matter to MI5. A couple of days later he got a journalist (Mr. Winder), interested and the latter did his own experiments, demonstrating that, 18 months after the bug was first reported, the problem had not been fixed. Only then, once the press was involved, did VFS apparently start to investigate the matter concertedly. However, the sites in all countries were taken down on the instructions of UKvisas before any fix was actually implemented. It has been asserted that no evidence was subsequently found of abuse.

The independent report (PDF) into these incidents discloses a catalogue of basic security failings across VFS, not least in the design of the web service itself. The identified information leak derived from the use of a persistent common temporary file accessed by all user transactions. Although primary data were purged on a regular schedule, the content of this temporary file remained and could be accessed by users. Strictly sequential numeric applicant IDs and, apparently, use of the GET method for login and session management allowed the URL manipulation that exposed this data. The SQL database was also largely unprotected and open to SQL injection. It emerged during the investigation that the system had never been pen tested.

The report also identifies organisational security problems within VFS including poor password management, the use of Skype and web mail on a firewall management console, and inadequate management of system logs, which hampered investigation and debriefing. It specifically notes the lack of effective response to the problem, finding it "regrettable that it took media cover through Mr Winder before UKvisas and VFS started to take adequate action..."

The report notes that "the VFS online system is so poor that it should be completely re-written - one expert described it as an upside down pyramid, where piling more levels of changes and processes on the top only makes it more likely to fall over." and that " VFS has accepted that it is not an IT company and that it needs to outsource its software writing." Which begs the question how any adequate procurement process for a transnational IT project to handle sensitive personal data could result in the contract being awarded to a supplier with such lack of technical expertise in the requisite field.