Case #22: Another booking leak

Personal info like Social Security numbers and personal documents were available. While I mostly hail the City of Bergen's handling of this issue, here are also the details they didn't tell you.

Published: Mon, March 18, 2019, 06:45
Updated: Sun, November 15, 2020, 23:15
Category:
Security
Tags:
Security Monday
Information leak
PHP
Social Security numbers
OWASP 2017 A3
OWASP 2017 A5

tl;dr πŸ”—

Personal information and documents from thousands of individuals were leaked in a government booking system.

Summary πŸ”—

Who: Aktiv kommune (City of Bergen, City of Stavanger, City of Γ…lesund, Fjell municipality)
Severity level: Medium to High
Reported: March 2019
Reception and handling: Very good
Status: Fixed
Reward: A thank you
Issue: Leak of personal information

Background πŸ”—

Bergen is one the most beautiful cities in Norway. And the City of Bergen offers this really cool "cabin" with a great view on its mount FlΓΈyen where families can spend a night for free. I was asked if we should try to book a night there. But when I saw the URL of the site the curious developer in me immediately got sidetracked...

The booking site is run by a system shared between the municipalities Bergen, Stavanger, Γ…lesund and Fjell. Aktiv kommune is some sort of collective site for this cooperation. The booking system is used by organizations and individuals to book all kinds of facilities and equipment like sport courts, venues, meeting rooms, music instruments, etc. There are thousands of such "resources" that can be booked.

Approach (technical stuff)

Problem 1 πŸ”—

I opened Vivaldi developer tools while browsing the site. There's a calendar on the site showing the availability of all a selected resource. The calendar data is loaded as JSON via Ajax. I took me like 30 seconds to see that the server returned way too much data - including names, phone numbers, e-mail addresses, Social Security numbers etc.

This just so common - the server returns some kind of serialized data structure that contains much more information than what is used for the user interface. This reminded me of the case where the garbage collection calendar app leaked personal data.

Problem 2 + 3 πŸ”—

Days after I reported the issue I was still curious of the site would be safe to use when that issue was fixed. I filled out the application form and uploaded an attachment. The URL to the finished application contained a "secret" so that no one should be able to guess the URL to your application. Other than that the ID seemed to be an incremental integer. But did the URL to the attached document in the application contain some kind of secret? Guess what, it didn't. The URL to all documents uploaded by users was based on an incremental integer ID. One could systematically go through and download all the documents.

I just checked a few, but to my surprise and horror the documents included photos of ID cards, passports, family photos and e-mails. Now this was not the kind of data I wanted stored on my computer even though it was available openly on the Internet. Luckily I found another unprotected URL which "just" listed the file names of all the uploaded documents. This made it easier to document the vulnerability without actually downloading stuff. The file list contained "interesting names" like full names, images with identifiers clearly pointing back to Facebook, words like "passport", "visa", "e-mail", "rental agreement", "ticket" etc.

Security issues

For years (City of Bergen estimates 8+ years) it was possible to retrieve a variation of the following information about persons booking resources:
  • Full name
  • Phone number
  • E-mail address
  • Full address
  • Social Security number
  • Comment
  • Attached documents
  • Gender and age groups (0-12, 13-19, 20+) of attendees

Among the available documents there were a few ID cards, passports, tickets, visa, family photos, contracts and e-mails.

For the mentioned cabin you could see who were to stay there a given night - including age group and gender of each family member.

According to the municipalities themselves there were leaked information about 3,142 individuals in City of Bergen, 628 in Fjell municipality and 16 in City of Γ…lesund. City of Stavanger seems to have "forgotten" to tell the number of persons of affected. I suppose that in addition there were documents and other information about organizations available.

Reception and handling πŸ”—

Day zero πŸ”—

As the booking system was used by several municipalities on different URLs I wasn't sure what would be the best contact point. I sent an e-mail to Norwegian National Security Authority's (NSM) NorCERT (Computer Emergency Response Team) and they said they could contact the right persons. The few times I have talked with NorCERT they have always been very helpful, responsive and effective.

Day 2 πŸ”—

Two days later I got responses from NorCERT, Aktiv kommune (City of Stavanger) and City of Bergen. A project manager from Aktiv kommune thanked me and told me that they had fixed the issue and reported it to The Norwegian Data Protection Authority (DPA) - Datatilsynet.

Day 5 πŸ”—

I noticed the other issue with documents being downloadable and at night reported that to Aktiv kommune and City of Bergen.

Day 6 πŸ”—

Some e-mailing back and forth and the issue was fixed. Then City of Bergen, City of Stavanger, City of Γ…lesund and Fjell municipality posted each own news article describing the issue.

What they didn't tell πŸ”—

The problem with the news articles posted by the municipalities was that they seemed geared towards the issue reported initially. They don't mention any of the leaked documents. No passports, no ID cards, no e-mails, no contracts, no nothing. I asked the City of Bergen about this, and that is actually the only e-mail they have not responded to.

The report from City of Bergen to the DPA is one of the most honest and best ones I have read. They mention 5 passports, but I believe that number to be incorrect. Yes, if you look quickly at the filenames (and assume equal filenames in a row are duplicates) you will see 5 files containing the word "pass". But the ID cards and passport I saw had other types of filenames. They also say the quality on the images were low. Well, that cannot be said about the ones I saw. In addition there were filenames with "pasaporte", "visa", "flights", "itinerary" ,"paszport", "ticket" and quite a few full names and what seems to be e-mails and contracts. I hope they will report that as well.

The report also doesn't say that someone externally reported the issue with the documents. And it doesn't say that this happened days after. The report starts out so honest, but then it becomes the questionable text that the DPA usually receives.

Handling summary πŸ”—

βœ… The issues were fixed quickly
βœ… The DPA was alerted
βœ… The individuals affected were informed by e-mail
β˜‘οΈ Mostly open about number of persons affected
❌ City of Bergen's report to DPA seems lacking
❌ No mentioning of the document leak in news articles or e-mails
❌ No mentioning anywhere that one could also see the gender and age groups of the people accommodated

Conclusion πŸ”—

As we all know by now, leaks like this happen constantly. This is why I started publishing the issues that I trip over when I'm online. We need more focus on IT security in IT education, in IT projects and in IT companies. And people should be cautious about what information is left where.

On a positive note, the handling of this issue on City of Bergen's hand was quite a few steps up from the last time they where in the media in regards of security issues.

Get notified when there are new posts! :-)