Sanjib Mitra is a man who likes to be responsible and do the right thing. A year ago he discovered, quite by accident, that a little bit of URL tweaking could reveal personal data about people other than himself within a website database. He was completing a complicated application form himself when he was faced with a blank page and a browser back button that did nothing, so he tried changing numerical data at the end of the URL in an effort to salvage some of the information he had spent the previous hour entering. His reward was not time saved and the application retrieved, but rather the applications of pretty much anyone who had ever used the system at any time in the past, and all it took was a different number to be substituted in the URL.
Now this is nothing unusual, poorly designed sites make this kind of security gaff all the time. Of course when it is a commercial site and it is customer data we are talking about then things take on a rather different perspective than the local bowling club membership database being exposed. Unfortunately, the website that Sanjib was logged on to at the time was VFS India, the British High Commission’s commercial partner in India to which it outsources the operation of visa application centers on behalf of the four visa departments in India. Indian citizens wishing to travel to the UK and requiring visas use this service to make their applications online.
The personal data that Sanjib was able to read was the full visa application details of assorted strangers. By simply changing part of the URL, it was possible to bring up intimate detail of other applicants such as their full names, addresses, employment details, passport number, spouses details, kids details and so on. Just the kind of thing that your average ID thief would pay good money for, and your average terrorist dreams about.
Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now?
Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.
I immediately contacted VFS Global to alert them to the fact that this problem was still ongoing and ask what they were doing about it. Although they refrained from making any direct comment, Senior Vice President in New Delhi, Ms. Venku Murthi, did assure me that as a direct result of my probing an immediate investigation would be launched by the VFS IT team.
The Information Commissioner’s Office in the UK, responsible for enforcing the Data Protection Act, was not so forthcoming. Nor indeed were the UK Foreign and Commonwealth Office or the British High Commission in India. At the time of writing there have been no replies to my requests for comment on the story from any of them. Frankly, I am amazed that this has been allowed to continue for so long, exposing thousands of Indian identities with enough sensitive data to make ID theft child’s play. I am even more amazed that nobody, apart from that VFS Vice President, cared enough to acknowledge I was writing this story and try to prevent my posting it, or provide some kind of mitigating comment by way of an apology and promise that the hole had been sealed shut immediately.
Sanjib did everything right, was responsible in his reporting of the situation and careful not to go down the road of public disclosure immediately. VFS and the British High Commission did everything wrong in not taking his reports seriously and so protecting the applicants who data was being exposed from further vulnerability. What’s more, given the political climate in both the UK and India regarding acts of terrorism, by not acting for over a year a door to identity theft, which could just as easily be entered by terrorist groups as fraudsters and accidental tourists, has been left open and unguarded.
Sanjib certainly is taking this seriously, enough so to set up a blog and post some details of the situation within it and then email the UK security services organization, MI5, via their website to report the problem to them . We know that they took it seriously enough to read because the blog visitor log, an Indian blog with no publicity and very few visitors, shows it being accessed by someone in Lambeth, UK within an hour of the report being made. Thames House, the MI5 HQ, overlooks Lambeth Bridge. Of course, the only official response Sanjib got was a template one from a mailbot confirming delivery of his message. Still, that was quicker than the British High Commission which took 2 months to send a standard ‘thanks for letting us know’ email and did nothing about it, or VFS who never replied at all and did nothing about it.
As Sanjib says “VFS India could be responsible for large scale identity theft, for every online visa application that it receives. This is an issue which I believe is of utmost importance to UK homeland security, and poses a great threat if overlooked.”
Perhaps most worryingly of all, VFS handles visa applications for governments around the world, including Russia, South Africa, Singapore and China. Who is to say that the same security hole is not open across all the online visa application sites? The chances, it has to be said, are pretty good that this is indeed the case. Especially as a little digging managed to reveal that the VFS site that handles the visa applications to the USA was suffering from exactly the same gaping security hole back in November 2006 according to one Indian blogger who reports how he managed to bring up the application details of a complete stranger by making a mistake when entering the last few digits of the URL.
At least, as a result of the good citizenship of Sanjib Mitra and this investigation by DaniWeb, VFS Global finally took the problem seriously enough to launch an investigation and within 24 hours the head of IT, Uttam Lahiry, had been in touch to ask for more detail to aid that investigation. Within an hour the security breach had been dealt with.
I can confirm that it is now no longer possible to access the visa application data of complete strangers just by changing a few numbers in the URL. What a shame it took the intervention of this reporter and the DaniWeb investigation to make someone sit up and take notice.
Questions need to be asked as to why VFS did nothing when an Indian citizen, someone directly impacted by the problem, reported it a year ago. Questions need to be asked why the British High Commission ignored that same Indian citizen when he raised serious concerns over homeland security in the UK as a result of the security breach. Questions need to be asked as to how an organization responsible for handling such a sensitive process for governments around the world could be allowed to do so with Mickey Mouse security procedures for so long without any of those governments bothering to check it was adequate.
I have asked those questions of all parties, but adequate replies have not been forthcoming…
UPDATE 15th MAY:
This just in from Mandy Ivemy, Director of Visa Services South Asia for the UK Foreign and Commonwealth Office -
"As a side issue, you might be interested to know that as part of our global standardisation of procedures, we are moving towards hosting all online applications on our secure UK website and hope that this will be in place towards the end of the year. Many of our visa operations already offer this facility, and we hope to do the same in India before December 2007.
I have asked one of VFS's Senior Vice-Presidents to make sure that all of their IT systems continue to be regularly tested so that I can be sure that they are secure. We take customer service issues very seriously indeed, and I will be personally monitoring this aspect of VFS's service to make sure that this does not happen again."
UPDATE 16th MAY:
I wrote "Who is to say that the same security hole is not open across all the online visa application sites?" and can now answer that question. The same security hole was open to application data on a global basis it would seem. I asked Uttam Lahiry, Head of IT for VFS Global, if the problem was a global one and if it had been fixed accordingly and he responded "it is (sic) been resolved globally" which solves that.
And by globally, I mean it. Take a look at the list of VFS clients and you will see that they might just deal with Indian visa applications into the USA, but for the UK they handle applications from India, Singapore, Bangladesh, Malaysia, Sri Lanka, China, Ghana, Qatar, Indonesia, Nigeria, Russia and Thailand. And their other client countries for whom they handle online visa applications include UAE, Ireland, Australia, Italy, France, Canada, Thailand, Germany, Sweden, Belgium, Netherlands and Austria!
With some of these clients dating back to 2001 (as is the case with the USA) it becomes clear that the potential number of people whose data was at risk of exposure rises from thousands into millions. VFS Global claim to handle 3 million applications per year, do the math...
I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .
Sad really that they could have just hired a couple of white hats and got it fixed in the beginning. At least Sanjib Mitra is a good guy and didn't release this to all the underground sites out there. He would have been "the dude" if he did though.
I like to think I 'did the right thing' by not running the story until after VFS Global had been given a chance to close the hole. I could have easily gone public yesterday and probably got a much bigger story out of it, but that would not have been fair on the thousands of people whose data would have been at even greater risk.
I guess this means I do have some ethical responsibility somewhere in my journalist bones :)
No one, unless there is fear of any statuary / regulatory action.
For one year people at VFS and British HC slept over the complaint. Why?
Not bothered. No fear of any prosecution or loss-of-credibility or action. Why to have IT Security voluntary at the cost of money, efforts, comfort and nuisance to the company and the user. They never thought of the harm or inconvenience or losses caused to the customer. They were simply bothered for their profits and comfort.
Without SOX, DPA, HIPPA, HSA, ITAct, SAS-70, etc., NO ONE has been just bothered to secure their IT infrastructure and assets.
There is no substitute to Regulatory action (Caning).
Only one bug in VFS website is exposed by Sanjib, by serendipity. Thanks to Sanjib, Daniweb and Davey Winder.
Who knows, there must still be many bugs / vulnerabilities in VFS application, network, policies and procedures, infrastructure and people.
How will they be addressed?
Till then, my data is at risk of exposure. There need to be class action against VFS and BHC for their carelessness towards exposure of customer data.
This posting became the basis of the main news story on Channel 4 News in the UK last night, and the streaming video of that broadcast can be viewed at the Channel 4 website here.
Not only have we (Sanjib, DaniWeb, Channel 4 and myself) succeeded in getting the breach secured, but online visa applications to a number of countries have now been suspended by VFS Global while further investigations are made.
It also looks very likely that questions will be asked in the UK Parliament, questions that will demand answers at the very highest government level as to how this could have been allowed to happen in the first place and then go unsecured for a whole year after first being reported.
A job well done methinks, and I am feeling rather chuffed with myself as a result :)
The UK government visa information website, UKvisas, has now issued a statement as follows:
"VFS ONLINE APPLICATIONS IN INDIA, RUSSIA AND NIGERIA
VFS Global Ltd provides an on-line application system for UK visa applicants in India, Russia and Nigeria. Due to a technical problem the VFS on-line application system is currently unavailable.
Customers applying for visas in these countries should contact their nearest visa application centre for further information."
Of course, they don't mention that the technical problem is actually the fear that the systems might still be insecure in some way.
The UK Secretary of State for Foreign and Commonwealth Affairs, Lord Triesman, is more forthcoming. Quoted in a report about the scandal at The Register he states "The VFS online facility will not be resumed until VFS and UKvisas can be assured that it is absolutely secure."
I have worked for VFS offices in India,and UAE and can tell you that it is a joke..their systems are total n00b jobs...i can get you a targetted list of names and addresses in a matter of minutes..their passwords are also umm how do i put it "easy"..even script kiddies wont need to use scripts to use their sstems to gain access. I also complained tears back but it seems my login details still work lol.
The Information Commissioner in the UK has today been in touch to confirm that an official investigation of how the Foreign and Commonwealth Office handled both the security aspect of the visa outsourcing in this case and the discovery of the breach (or more accurately the delay between being first informed and then taking action a year later) is now underway and that I may be asked to provide evidence during the course of that investigation.
And in a further update, I am now also helping with an official investigation into the matter that has been ordered by the UK Foreign Secretary, who will report to Parliament once the independent investigation is complete.