Sanjib Mitra is a man who likes to be responsible and do the right thing. A year ago he discovered, quite by accident, that a little bit of URL tweaking could reveal personal data about people other than himself within a website database. He was completing a complicated application form himself when he was faced with a blank page and a browser back button that did nothing, so he tried changing numerical data at the end of the URL in an effort to salvage some of the information he had spent the previous hour entering. His reward was not time saved and the application retrieved, but rather the applications of pretty much anyone who had ever used the system at any time in the past, and all it took was a different number to be substituted in the URL.
Now this is nothing unusual, poorly designed sites make this kind of security gaff all the time. Of course when it is a commercial site and it is customer data we are talking about then things take on a rather different perspective than the local bowling club membership database being exposed. Unfortunately, the website that Sanjib was logged on to at the time was VFS India, the British High Commission's commercial partner in India to which it outsources the operation of visa application centers on behalf of the four visa departments in India. Indian citizens wishing to travel to the UK and requiring visas use this service to make their applications online.
The personal data that Sanjib was able to read was the full visa application details of assorted strangers. By simply changing part of the URL, it was possible to bring up intimate detail of other applicants such as their full names, addresses, employment details, passport number, spouses details, kids details and so on. Just the kind of thing that your average ID thief would pay good money for, and your average terrorist dreams about.
Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now?
Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.
I immediately contacted VFS Global to alert them to the fact that this problem was still ongoing and ask what they were doing about it. Although they refrained from making any direct comment, Senior Vice President in New Delhi, Ms. Venku Murthi, did assure me that as a direct result of my probing an immediate investigation would be launched by the VFS IT team.
The Information Commissioner's Office in the UK, responsible for enforcing the Data Protection Act, was not so forthcoming. Nor indeed were the UK Foreign and Commonwealth Office or the British High Commission in India. At the time of writing there have been no replies to my requests for comment on the story from any of them. Frankly, I am amazed that this has been allowed to continue for so long, exposing thousands of Indian identities with enough sensitive data to make ID theft child's play. I am even more amazed that nobody, apart from that VFS Vice President, cared enough to acknowledge I was writing this story and try to prevent my posting it, or provide some kind of mitigating comment by way of an apology and promise that the hole had been sealed shut immediately.
Sanjib did everything right, was responsible in his reporting of the situation and careful not to go down the road of public disclosure immediately. VFS and the British High Commission did everything wrong in not taking his reports seriously and so protecting the applicants who data was being exposed from further vulnerability. What's more, given the political climate in both the UK and India regarding acts of terrorism, by not acting for over a year a door to identity theft, which could just as easily be entered by terrorist groups as fraudsters and accidental tourists, has been left open and unguarded.
Sanjib certainly is taking this seriously, enough so to set up a blog and post some details of the situation within it and then email the UK security services organization, MI5, via their website to report the problem to them . We know that they took it seriously enough to read because the blog visitor log, an Indian blog with no publicity and very few visitors, shows it being accessed by someone in Lambeth, UK within an hour of the report being made. Thames House, the MI5 HQ, overlooks Lambeth Bridge. Of course, the only official response Sanjib got was a template one from a mailbot confirming delivery of his message. Still, that was quicker than the British High Commission which took 2 months to send a standard 'thanks for letting us know' email and did nothing about it, or VFS who never replied at all and did nothing about it.
As Sanjib says "VFS India could be responsible for large scale identity theft, for every online visa application that it receives. This is an issue which I believe is of utmost importance to UK homeland security, and poses a great threat if overlooked."
Perhaps most worryingly of all, VFS handles visa applications for governments around the world, including Russia, South Africa, Singapore and China. Who is to say that the same security hole is not open across all the online visa application sites? The chances, it has to be said, are pretty good that this is indeed the case. Especially as a little digging managed to reveal that the VFS site that handles the visa applications to the USA was suffering from exactly the same gaping security hole back in November 2006 according to one Indian blogger who reports how he managed to bring up the application details of a complete stranger by making a mistake when entering the last few digits of the URL.
At least, as a result of the good citizenship of Sanjib Mitra and this investigation by DaniWeb, VFS Global finally took the problem seriously enough to launch an investigation and within 24 hours the head of IT, Uttam Lahiry, had been in touch to ask for more detail to aid that investigation. Within an hour the security breach had been dealt with.
I can confirm that it is now no longer possible to access the visa application data of complete strangers just by changing a few numbers in the URL. What a shame it took the intervention of this reporter and the DaniWeb investigation to make someone sit up and take notice.
Questions need to be asked as to why VFS did nothing when an Indian citizen, someone directly impacted by the problem, reported it a year ago. Questions need to be asked why the British High Commission ignored that same Indian citizen when he raised serious concerns over homeland security in the UK as a result of the security breach. Questions need to be asked as to how an organization responsible for handling such a sensitive process for governments around the world could be allowed to do so with Mickey Mouse security procedures for so long without any of those governments bothering to check it was adequate.
I have asked those questions of all parties, but adequate replies have not been forthcoming...
UPDATE 15th MAY:
This just in from Mandy Ivemy, Director of Visa Services South Asia for the UK Foreign and Commonwealth Office -
"As a side issue, you might be interested to know that as part of our global standardisation of procedures, we are moving towards hosting all online applications on our secure UK website and hope that this will be in place towards the end of the year. Many of our visa operations already offer this facility, and we hope to do the same in India before December 2007.
I have asked one of VFS's Senior Vice-Presidents to make sure that all of their IT systems continue to be regularly tested so that I can be sure that they are secure. We take customer service issues very seriously indeed, and I will be personally monitoring this aspect of VFS's service to make sure that this does not happen again."
UPDATE 16th MAY:
I wrote "Who is to say that the same security hole is not open across all the online visa application sites?" and can now answer that question. The same security hole was open to application data on a global basis it would seem. I asked Uttam Lahiry, Head of IT for VFS Global, if the problem was a global one and if it had been fixed accordingly and he responded "it is (sic) been resolved globally" which solves that.
And by globally, I mean it. Take a look at the list of VFS clients and you will see that they might just deal with Indian visa applications into the USA, but for the UK they handle applications from India, Singapore, Bangladesh, Malaysia, Sri Lanka, China, Ghana, Qatar, Indonesia, Nigeria, Russia and Thailand. And their other client countries for whom they handle online visa applications include UAE, Ireland, Australia, Italy, France, Canada, Thailand, Germany, Sweden, Belgium, Netherlands and Austria!
With some of these clients dating back to 2001 (as is the case with the USA) it becomes clear that the potential number of people whose data was at risk of exposure rises from thousands into millions. VFS Global claim to handle 3 million applications per year, do the math...