Recently it was announced that there was a security flaw found in one of the GSA systems that could have allowed for vendors to see other vendor information. The original article, which you can read in its entirety, can be found at GSA Database May Have Leaked Contractor Banking and Proprietary Information. Kevin Johnson, CEO, of Secure Ideas was one of the security experts that was interviewed in the article. While the article takes a general focus on SQL Injection as being the probable cause, no actual details of the vulnerability were actually released. This could very well have been a SQL Injection vulnerability, but without confirmation from the organization, it is difficult to tell.
There are many vulnerabilities that could have led to this security breach. For example, simple parameter tampering is a prime candidate for one person to see another person’s information. This is what was done in the Citi and AT&T breaches that were fairly big in the news. Changing parameter values is simple and often overlooked during QA testing.
Server mis-configuration is another possibility. Of course, this covers a few different flaws, weak passwords, poor authorization, etc. Any of these are also good candidates for gaining access to another user’s information.
Unfortunately, they have not said what the actual flaw was, and may never tell us. It appears they fixed it rather quickly too which is great to see. As outsiders, it should serve as a reminder that security flaws are all around us and there are many ways to get to the same data. We can’t assume what the actual flaw was, but we can take this incident as a chance to look at our own applications and verify our records are safe.
James Jardine is a Principal Security Consultant with Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.