Canadian Passport Website Falls For Oldest Privacy Breach On The Web
from the that-one-again? dept
Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user's account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it's been quite some time since we've heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, canada, passports, security, url, websites
Reader Comments
Subscribe: RSS
View by: Time | Thread
Embarrassed
Share the love!
[ link to this | view in chronology ]
Nothing is Private
This is just another example of why I do it.
[ link to this | view in chronology ]
What?
"her or she"?
Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."
[ link to this | view in chronology ]
Passport Canada website
[ link to this | view in chronology ]
"he or she?"
most web app designers quickly realized to plug that hole
"quickly reacted?"
Every error reduces your credibility and lowers everyone's expectations. For the love of all that's good in the world, have someone proofread your posts!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Oh Canada
They have an Epass system where you enter in all of your private info (SIN etc) to access your tax info and such online. Great site, but a little while ago I went to log in and the cert had expired...Months before!!
These are the people we entrust with protecting our freedoms>? They can't even protect a web site!
I emailed them to let them know the cert had expired...never heard back and haven't been back to the site since.
[ link to this | view in chronology ]
Re: Oh Canada
[ link to this | view in chronology ]
Form is always more important than function
[ link to this | view in chronology ]
"her or she could see the account info of that other issue associated with the new number."
"her or she"?
Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."
----------------------------------------------
who the hell cares how he spelt it. you understood it. you got it. you didn't even comment on the story just the spelling. is that what you do online now a days? spell check everyones articles?
[ link to this | view in chronology ]