Brucon: Major flaws in eID web applications revealed

Major flaws exist in web applications that are used for national electronic identity smartcards.

Presenting at the Brucon conference in Ghent, Taddong founder and senior security analyst Raul Siles said that an investigation into web applications that deal with electronic identity (eID) smartcards found major security failings.

Siles said that as these smartcards contain biometric (fingerprint) data, an authentication certificate and a signature certificate, they are built securely with the PKCS#15 standard and he was not aware if anyone had hacked into it.

There are 26 countries deploying the card across the world, with 25 million citizens using it in Siles' native Spain. He said that these are used in different places to get access to WiFi and VPNs and we are getting to the point where instead of using a credit card, we will use eID for e-government services where it is merged with the SIM on a mobile phone.

Siles said: “Merchants are provided with readers to make use of the cards, but in reality where are you using the eID? In web applications for e-government services and for 99 per cent of procedures from central government. This is the most secure authentication method – if you are using two-factor authentication (2FA) of the eID it will be much more secure and everyone is promoting that.

“In 2011 e-accessibility increased in Europe for e-government services, so we started looking at this for Spain and we were the top e-access for services perspective. So we need to meet the security of services too to improve the state of eID within web applications.”

Siles said his research of web applications that use eID looked at the use of HTTPS, how they use data and how they manage session data and cookies to keep track of user activities.

He said: “HTTPS is pretty similar, it sends a request, says hello and requests [a] certificate and it is done and if it accepts, it does the certificate and communicates in a secure way sending data back and forth.

According to Siles, when it comes to data most people focus on SQL, XSS and the OWASP top ten, but third in that is authentication and session management. He believes people need to focus, and this is critical, as attackers are doing just that in creating malware such as 'Oddjob ' that attacked banks and web applications.

"Before you authenticate, do session management and access control, then do not forget to close the session,” he said.

Siles said that most web applications are developed in Java, and everyone assumes that the web application is secure. His research of 15 'very relevant' web applications during the period of May to December 2011 found that 70 per cent were using HTTPS and 46 per cent were using SSL version two, and that 100 per cent were using SSL version three, so developers need to keep pace with what is going on in the security industry.

“With secure HTTPS renegotiation, users do not know how to do it so they leave their browsers with trousers down,” he said.

Elsewhere, his research found that 50 per cent of TCP/80 portals were open and 43 per cent redirected. 

He said: “We found that some applications do renegotiation, some have data in databases but with others you need to register first, it is a twisted purpose as you register and can modify it, but only 25 per cent of applications require registration, but 67 per cent are vulnerable to the renegotiation process.”

Other research found that 75 per cent of the sites use cookies, while 36 per cent use a low entropy ID, however 64 per cent of the web applications were vulnerable to session fixation, despite this being announced in 2002. “You need to change that and fix it,” he said.

Finally, Siles said that there was a real problem with closing sessions, as only nine per cent implemented an absolute time out. “Why is this required? What if an attacker hijacks a session with your user eID? They will be you forever, you need an absolute time out to re-authenticate, but with 18 per cent it remained open,” he said.

Siles said: “We need to develop new web applications with new functionalities, as we found holes on what is collected. They need to do something but it is not clear on what they need to do yet apart from fix the flaws."

Sign up to our newsletters