Centrelink website flaw leaves users vulnerable

A security vulnerability in Centrelink’s online system put users at greater risk of having their credentials stolen through phishing attacks.

Freelance web application specialist Eric John Hurley discovered the flaw when using the service earlier this month, iTnews can reveal.

After logging out of the Centrelink portal, users are redirected back to the main log in page. But the log out function contained a unvalidated redirect vulnerability that meant attackers could set their own destination URL.

Because the target page - or destination for the redirect - was specified in an unvalidated parameter, attackers could direct users to a site of their choosing within what looks like a legitimate Centrelink URL.

For example, iTnews could set the destination site in the log out redirect to land on the iTnews homepage by changing the GET variable:

https://www.centrelink.gov.au/wps/screens/html/Logoff.jsp?dest=https://itnews.com.au

Attackers could embed the changed URL in a phishing attack, raising the likelihood of a user clicking on the link given its apparent legitimacy.

From there, users’ sensitive details could be harvested through, for example, a website crafted to look like the official Centrelink portal.

Hurley said he contacted Centrelink operator the Department of Human Services several times from April 2 about the issue but got no response.

iTnews notified the department of the vulnerability late on Monday, and it was addressed on Tuesday.

The department acknowledged the "risk" to the Centrelink site and said it had "been investigated and fixed".

"It's irresponsible to leave such simple bugs in an application. Not validating your parameters in such a big system owned by the government is quite mad to say the least,” Hurley told iTnews.