Friday, May 23, 2014
It Seems Very Odd That This Security Problem With Access To The PCEHR Has Not Been Fixed Promptly.
This appeared a few days ago.
Date May 15, 2014 - 3:38PM
A federal government department has been blasted over its "appalling response" to a security researcher's report which found it has been exposing millions of Australians' personal information by leaving serious security flaws unchecked in a critical government website.
The vulnerabilities were found in the myGov website, which stores the private records of Australians, including their doctor visits, prescription drugs, childcare and welfare payments. The Tax Office is expected to make the site mandatory for electronic tax returns this financial year.
One of the several vulnerabilities found was so severe it allowed the researcher, Nik Cubrilovic, to hijack the account of any registered myGov user.
Mr Cubrilovic said this was possible because of so-called "cross-site scripting" flaws on the site, which hackers could have potentially leveraged to hijack myGov accounts.
It is understood some of the flaws have been patched since the government was informed on May 2.
Mr Cubrilovic demonstrated how he was able to hijack this writer's myGov account and access, if linked, other Tax Office, Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and National Disability Insurance Scheme information.
There is no suggestion a hacker exploited the vulnerabilities deemed "basic" and well-known for malicious purposes, although Mr Cubrilovic believes he probably wasn't the first to discover them on the site.
To have information stolen, Mr Cubrilovic said a myGov user wouldn't even have to click on a bad link. Instead they would just visit a website containing malicious code designed to extract specific information when visiting myGov. This code could be inserted into other sites, like on third-party advertisements appearing on major Australian news websites as occurred with SBS and the Herald Sun in 2011.
"If you were to score this [myGov] site out of ten in terms of security it would be like zero or barely half a point," Mr Cubrilovic, of Wollongong, said in an interview with Fairfax Media.
Child immunisation records are accessible too.
Lots more here with screen shots which were accessed.
It is hard to understand why, having been warned, the Department did not simply fix the problems and tell the researcher all was fixed. That they did not signals either arrogance, incompetence or stupidity.
You be the judge.
Posted by Dr David G More MB PhD at Friday, May 23, 2014