EXCLUSIVE: NSW cops quiz Aussie security researcher

Boneheaded superannuation firm tries shooting messenger...
October 13, 2011 -- 

Well-known Australian information security professional Patrick Webster has been visited by NSW Police officers following his disclosure of an embarrassing Web application security bug to his superannuation fund.

Webster had noticed his pension fund, First State Superannuation, allowed logged in members to access online statements via "direct object reference," a security lapse so boneheaded it's included in OWASP's infamous top ten list of Web application security bugs.

For those unfamiliar with direct object reference, it means documents are served up by way of a direct ID in a URL. The problem is that by changing the document ID in the browser's URL bar, another document will be accessed and served to the user.

Direct object reference issues have been well known for over a decade. The Australian Treasury's GST Web Site was affected by a similar glitch in 2000.

Sure enough when Webster incremented the document ID number in the URL linking to his super statement, up popped another member's statement. He contacted First State Superannuation's administration arm, Pillar Administration, to notify them of the problem the morning after he discovered the company's shoddy coding.

He even sent one of the fund's IT staffers a bash script to demonstrate the issue. The script enumerated document IDs and downloaded statements.

"It needed to be fixed ASAP," Webster, who runs information security company OSI Security and is a prolific Metasploit contributor, told Risky.Biz. "That's why I made a script and sent it to [redacted], so he could run the script himself and see what I meant."

The initial response from the fund was positive, with e-mails seen by Risky.Biz praising Webster for taking the time to notify the right people.

First State Superannuation has 770,000 members, mostly working for the NSW State Government. Members include everyone from magistrates to police officers and nurses.

It was two of those NSW police officers that turned up at Webster's front door at around 9pm last night.

"They just rocked up on the doorstep and said 'We're after Patrick'," he said. "They said it was about downloading files from First State Super. They said they didn't really understand it. They were the local Police.

"The annoying part is that I contacted First State straight up. I gave them my number, email... and full details in my email including LinkedIn and they called the cops," Webster said.

It is generally understood in the information security industry that data accessed via a URL without further authentication has, in essence, been made public by the system allowing the access.

It is difficult to argue that the access of such material is the bypass of a security control; it is merely proof of the absence of a security control.

Webster demonstrated that any logged in First State Superannuation member could access the online statements of any other member via URL manipulation alone.

It was Pillar Administration and First State Superannuation's diabolical violation of good practice that exposed members' details, not Webster's actions.

For background on just how dysfunctional and negligent an organisation has to be to allow direct object reference to sensitive information, click here.

Perhaps instead of contacting the law, First State Superannuation would have done well to send Webster, who ironically enough spent much of his career working in information security for NSW Police, a nice bottle of single malt and a sun hat.

The company has suspended online access to Webster's account. Passing the buck, wasting taxpayers' money and police time FTW.

Calls to Pillar Administration's head office and individual staffers were not returned. Staffers reached would not comment. Comment from NSW Police could not be obtained by time of publication and detectives reached would not comment.

Pillar Administration and First State Superannuation have since fixed the direct access bug and notified members whose information was accessed by Webster's script. See the letter here [pdf].

The only silver lining that could come out of Webster being charged with something -- what, exactly is a bit foggy -- would be watching a prosecutor try to explain to a magistrate that changing a single digit in a browser bar is a computer crime.

Lawl/snort/chortle etc.

Follow Patrick Gray on Twitter here.

Check out the Risky Business podcast here.

Subscribe to podcast feeds here.