Passport Canada’s site developers make an all-too-common security mistake.

The word this chilly, chilly morning is that Passport Canada's site exposes applicants' names, driver's licence numbers, and -- the Holy Grail of the identity thief -- Social Insurance Numbers to anyone wily enough to fiddle slightly with the mysterious letters and numbers that appear in the browser's address bar.

This type of security weakness is well known and falls under the general heading of "injection": entering unexpected values into a web application's form fields or query strings in order to escalate privileges or reveal restricted information.

While simple enough to prevent, the design chinks susceptible to such injection exploits are difficult to identify. But, since the site has a valid TLS certificate, it looks secure enough to management (you may recognize TLS as the little padlock that appears in your browser -- it's necessary for security, but it ain't enough). Kinda the same as habitually leaving your keys in the ignition, but slapping a car alarm decal on the window. The appearance of security is not security.

The fundamental problem, of course, is that applicants' sensitive information is network-accessible: tough to have an online application process without that. Trouble is, once information reaches the Internet, it is never ever forgotten.

Comments