Agencies advised of Companies Office fault

An issue arising from iGovt connection saw users wound up in other people's accounts

All government agencies have been advised of an issue arising from an iGovt connection to the Companies Office.

At this stage, it's thought to be a technical fault where users at one site wound up in other users' accounts when they tried to access the web site.

Department of Internal Affairs spokesperson Michael Mead, says all government agencies are being told of the issue by the Government CIO and asked to confirm that the problem does not exist on their systems, or to apply the appropriate fix.

"We have followed up, confirmed the technical fault relates to a single page on the Companies Office website and does not originate with the iGovt logon service. The Companies Office has now fixed the problem," he says.

"At no time were the details of companies on the Companies Office website at risk.

"The issue was this: information was requested from the Companies Office site by a small number of users all working through a local cache server.

"The issue appears to have been limited to a small pool of users in very specific circumstances. Based on the information logged by the user, we have concluded that under unique circumstances it was possible to view another user's credentials that had been cached earlier at the user's local site.

"For this circumstance to arise, the users had to be located at the same site and accessing the same exact 'type' of details in the same defined time period, and be on the same proxy server.

"This was possible because the configuration on this one page of the Companies site being accessed did not include an appropriate instruction to prevent the caching offsite of non-static information. This missing single line of code should be routinely included to avoid the problem identified."

Tags securitygovernment

Comments

Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.