[LINK] Treasury web site
Thu, 29 Jun 2000 22:42:38 +1000
Tony Barry wrote:
> At 10:50 AM +1000 29/6/2000, Rachel Polanskis wrote:
> >Well not really, you just have to type in any number between 1 and 27000
> >and you can receive the banking details of that particular business!
> I assume that you could get at any registration (e.g. 1234) along the
> lines of a URL htt://TheHostName/SomePath/1234?
A very good assumption.
Without an authorisation and authentication scheme, the information
is available publicly to those who type in a complete "find" URL.
The above HTTP GET example you gave can take many forms:
And to rock with those POST-only scripts, fire up wget or curl, and do
an HTTP POST to www.gstassist.gov.au:
# curl --data r=1234 http://www.gstassist.gov.au/find.asp
Do the above 27000 times to grab the entire database :)
(P.S. curl also honours https (SSL) requests ... a great shell tool!)
>From the newscast on SBS+ABC tonight, the "hacker named Kelly"
(read: tax office nuisance) most likely typed in a URL and issued a
GET like one of the above, through his browser. When that method
returned a result as expected, I expect he used curl or similar (above)
27000 times on 27000 different values to scan the results and email all
those who have email addresses.
Pretty scary ... anyone with a bit of ingenuity (12 year olds!) can
grab the entire database with a bit elbow grease and nimble fingers.
To stop unauthorised access, both of the following requirements
must be met:
Authorisation: access (in possibly varying degrees) is granted only to
those identified by some degree of Authentication
Authentication: varying forms of personal identification from (weak)
username + password to (strong) signed digital certificates
Both are crucial concepts in web security, and personal identification
in general. And without this dynamic duo, data on the Web is public,
shells are insecure, data stores are exposed and people's privacy
is easily compromised. Think about how easy it would be, for example,
for someone to send a horrendous email written in your name, appearing
to be from your ISP.
In the case of www.gstassist.gov.au, no form of authentication was
implemented to ensure that access to unauthorised data was prevented.
This oversight has resulted in a privacy violation ghastly in extent
(thousands of businesses exposed, wasn't it?) and dastardly in
The exposeur of this Internet security weakness can only be commended
on his quick take-up, apprehension and dissemination of the problem. He
has left red faces on the execs of some 15000 companies, including a
blustering Chairman of the ATO in major damage control explaining that no
sensitive data gathered and controlled by the Australian Tax Office has
been compromised (not his quote).
Rick Welykochy || Praxis Services Pty Limited