Companies House Security Review - Part 2
Update(s):
18/Dec/2012 - One SSL bug now fixed (might want to put security testing out to tender next time!) - but still a few to go. Directory traversal still possible... hint encode/escape or strip, don't add slashes! Significant improvements have been made to the SSL implementation - now scoring a healthy Grade A @ Qualys SSL Labs. At least progress is being made... can't fault them for that.
17/Dec/2012 - WebCheck now uses cookies - but still not secure! At this point, I'm not sure what's worse... the existence of the flaws or their proclivity for botched updates. Perhaps a report to the ICO would help... or not.
13/Dec/2012 - Unfortunately, there has been no further correspondence since my email dated 5/Dec/2012.
Since then however, several new issues have come to light... including 1 directory traversal exploit which could reveal the codebase of both WebFiling & WebCheck. SSL encryption is still not enforced on vital pages of WebFiling - allowing any account to be hijacked. There's still no word on password/token hashing either - there's no justifiable reason why this can't be released. If it's securely hashed, so much the better. If not, why not?
The latest directory traversal exploit coupled with an outdated & vulnerable perl installation (5.8.5 - from 2004!) means that once again, the system is insecure and users are being put at risk. This time however, the exact details will remain private & confidential until they are identified & addressed by developers/penetration testers. A disclosure of any sort (partial or otherwise) at this time could directly place the system and every user at immediate risk.
I am currently working with another security consultant to record a simulcast which demonstrates exactly how anyone can hijack a company. It's live, detailed and absolutely unequivocal proof that it's possible... even as of 13/Dec/2012. Look out for that!
10/Dec/2012 - Companies House have now rectified the flaws which allowed session hijacking in WebFiling. (see above) WebCheck is still vulnerable, and it still isn't clear how the passwords are stored. Until such time, we must assume they are still stored in plain text and as such, you should you exercise caution when choosing your password; it may be visible to database administrators and other members of staff.
It's been a month since the first publication regarding Companies House.
Has anything changed? Is it now more secure? Let's take a look...
Companies House Official Response #2 (16/11/2012 - Sent via John Leyden @ The Register)
"I would reiterate that nothing that was raised by Mr Moore was not already known to us and, where necessary, actions were in train to address matters. Indeed a number of issues have been definitively addressed since we last corresponded. A number of assumptions were made without knowledge of our infrastructure or additional security controls.We would not wish to discuss these in any public forum for obvious reasons but it remains the case, as we have stated on a number of occasions, that we do take security seriously and any issues raised by customers or other sources are examined and necessary mitigation put in place. This is not just a trite phrase but a matter all public agencies take seriously."
Comments to reply #2 (16/11/2012)
Companies House claim they were already aware of all the issues I've outlined, which raises more serious questions.- If Companies House were aware of these issues during the development stage, why weren't they addressed immediately?
- If they were made aware following a penetration test, why was the site released to the public knowing it posed a serious risk to everyone that uses it?
- In any event, if they were aware of any/all of these issues, why was no action taken until after my complaint?
In reality, I suspect many of the issues were new to Companies House; no organisation that handles data responsibly would knowingly expose their customers to avoidable risk. The password reset debacle for instance, demonstrates they have some understanding of what’s required, but not enough to ensure it’s safe. It also demonstrates another failure in the penetration test; assuming it was tested prior to release. We’re not pushing the boundaries of technology here, this is basic stuff which most private firms mastered a long time ago. To think the government handles our data this way is really quite frightening.