CIX Registration Security Hole
I think I can blog about this now that everything is fixed.
I was poking around with the registration form for the Canadian Innovation Exchange this morning (don’t ask). That’s when I noticed, quite obviously, that the webpage allowed me to preview my submitted application without logging in.
So I tried changing the ®istration_id= variable in the URL when I noticed that it was possible to view every application, simply by modifying the URL string. You could also edit them.
Yes, that’s right, for a while this morning, it was possible to view every business plan submitted to the CIX. Financing plans, customer lists, strategy, everything — all open to the public with some simple URL rewriting.
Maybe I am over strict about security, I have to be — but this, to me, this is irresponsible.
They were responsible about my input: I contacted the CIX, and they promptly wrote back to say that they’ve fixed the problem.
I think it was safe for those who submitted their applications to assume that their data would be secured appropriately, so my lesson of the day is to those collecting confidential data: if you don’t understand internet security, hire someone that does. If you are a developer and think that having a random 2-digit number in the URL is security, ask for help.
Message to whomever was responsible for this:
<angry face>
March 18th, 2008 at 6:51 am
Ali, few people take security seriously. Or at least not seriously enough. My guess is that unless your job has depended on it, you just don’t have the chops and you haven’t needed to develop them.
Your experience reminds me of a similar story. When the IASA (International Association of Software Architects) was getting started they had a number of bush league security flaws on their site. Including emailing your username and password in plain text. To make matters worse when you confirmed your email they passed both your username and password as a query string.
Now the kicker here is that initial membership was via invitation, they already had my email and they certainly didn’t need to email me my password.
When I wrote them and suggested (politely) ways to shore things up, the silence was deafening. The good news is they eventually changed for the better but the whole situation was shocking for an organization that was supposed to be for “elite architects” (their words, not mine).
March 18th, 2008 at 7:07 am
The hole is bad (common, but bad), their response is what is important. Good argument for clean URL’s and a little mod_rewrite (or IIS equivalent) ;)
March 18th, 2008 at 9:07 am
I am happy to report that the only person who saw any information besides their own was Ali himself.
No, this should not of happened, and yes, we take the security of information very seriously.
Once we were notified of the breach, it was fixed within 20 minutes, and tested by a number of web people. And like I said, the only one person who had access to other people’s information.
March 18th, 2008 at 10:15 am
Well handled, Hope and the CIX.
Mistakes happen to all of us — after posting this story, I have heard many stories from people talking about how common this can be.
The speed of reaction was impressive.
March 18th, 2008 at 1:39 pm
It’s crazy how often this occurs with sensitive information:
http://www.theglobeandmail.com/servlet/story/RTGAM.20071204.wpassport1204/BNStory/National/home
Congrats to CIX for the rapid response.
March 25th, 2008 at 10:37 am
[...] This is probably one of the bigger events and has a good line up of speakers. The event features a contest for startups to present and win some funding. Unfortunately the cost is $495 for companies that are accepted to present. The contest has also had a major security breach. [...]
April 12th, 2009 at 11:04 pm
Nice post. Thanks for sharing these tips.