Canadian Passport Website Falls For Oldest Privacy Breach On The Web

from the that-one-again? dept

Thu, Dec 6th 2007 12:43am — Mike Masnick

Back in the early days of the web, there were plenty of stories about a rather simple security breach on various sites. Basically, many sites would simply pass a user's account number through as a part of the URL. If a user simply changed the URL, her or she could see the account info of that other issue associated with the new number. After a few such cases came to light, most web app designers quickly realized to plug that hole, and it's been quite some time since we've heard of a site with such a security hole. However, it appears that there are still a few. The site for Passport Canada, where people can apply for a Canadian passport apparently had exactly that security vulnerability, allowing the guy who discovered it to see the passport application data of other applicants simply by adjusting the URL. It's never nice to hear about a security flaw (especially on a gov't website with all sorts of private info), but it actually induces a bit of nostalgia to hear of such a basic security flaw showing up in the wild yet again.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, canada, passports, security, url, websites

10 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Bah-Humbug, 6 Dec 2007 @ 1:04am

Embarrassed
I'm Canadian and I'm embarrassed that we have such shoddy web designing. What I'm not embarrassed about it the fact that I've listened to Aerodynamic by Daft Punk about 6 times now on repeat. It's just as awesome today as it was 6 years ago.

Share the love!
[ link to this | view in thread ]
Max Powers, 6 Dec 2007 @ 3:38am

Nothing is Private
I still assume that anything that I have put online is at risk of hacking. Checking my credit reports, bank accounts, credit card accounts, social security information and other items has become a regular routine of mine.

This is just another example of why I do it.
[ link to this | view in thread ]
Jim, 6 Dec 2007 @ 6:10am

What?
"her or she could see the account info of that other issue associated with the new number."

"her or she"?

Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."
[ link to this | view in thread ]
Harry, 6 Dec 2007 @ 6:39am

Passport Canada website
This news article was on the CBC a few nights ago. The guy who discovered the security flaw said that he probably wasn't the first, so who knows how many records were compromised? Given the many government rules and regulations and standards, as well as all the money it spends, one would expect a near bulletproof website. There were lots of theatrics about it in the House of Commons. You can bet a few heads will roll!
[ link to this | view in thread ]
Anonymous Coward, 6 Dec 2007 @ 7:20am

her or she could see the account info
"he or she?"

most web app designers quickly realized to plug that hole
"quickly reacted?"

Every error reduces your credibility and lowers everyone's expectations. For the love of all that's good in the world, have someone proofread your posts!
[ link to this | view in thread ]
dorpass, 6 Dec 2007 @ 7:48am

Re:
If you want something with less typos, read a dictionary.
[ link to this | view in thread ]
Just Me, 6 Dec 2007 @ 8:26am

Oh Canada
I am Canadian (Molsen anyone?) and I have to say that I'm not overly comfortable with the Canadian Gov's IT work before this.
They have an Epass system where you enter in all of your private info (SIN etc) to access your tax info and such online. Great site, but a little while ago I went to log in and the cert had expired...Months before!!
These are the people we entrust with protecting our freedoms>? They can't even protect a web site!

I emailed them to let them know the cert had expired...never heard back and haven't been back to the site since.
[ link to this | view in thread ]
Anonymous Coward, 6 Dec 2007 @ 4:19pm

Form is always more important than function
The way a thing is worded is more important than the content. My anal retentive English teachers drummed that into me all through school. I failed a lot of classes knowing the subject but not the grammar (read: the importance of protocol). Never forget. Most people are dumb as nails ( not to impinge the intelligence of English majors, of course, who we all know are smart people) It is far easier to focus on form then function !
[ link to this | view in thread ]
R. Wing, 7 Dec 2007 @ 2:07am

What? by Jim on Dec 6th, 2007 @ 6:10am

"her or she could see the account info of that other issue associated with the new number."

"her or she"?

Aside from that: I know what you're trying to say here but this is really very poorly worded. Maybe: "he or she could see the account info of other users."

----------------------------------------------

who the hell cares how he spelt it. you understood it. you got it. you didn't even comment on the story just the spelling. is that what you do online now a days? spell check everyones articles?
[ link to this | view in thread ]
Anonymous Coward, 7 Dec 2007 @ 10:13am

Re: Oh Canada
Impostor! You're not Canadian! If you were you would know it's Molson not Molsen! Err... unless of course you really are Canadian and were well into a 2-4 of the stuff when you posted...
[ link to this | view in thread ]