Researchers say not to use myGovID until login flaw is fixed

Two security researchers are warning Australians not to use myGovID as they say the login system contains an implementation flaw that could lead to attackers gaining full access to their accounts.

Masters student Ben Frengley and adjunct professor Vanessa Teague created a threat scenario in which an attacker sets up sites that they control and asks users to log into them with myGovID.

In the scenario, the attacker captures the email address of the user and then immediately uses it to try to log into an official government portal.

The official portal displays a 4-digit PIN that the attacker then relays back to the user via the controlled site. 

When the user types that PIN into their smartphone, they can be displayed a "login successful" message on the fake site - while unknowingly granting the attacker full access to their accounts in the legitimate government portal.

While the proof-of-concept in the video shows the attacker manually sitting in the background retyping and relaying the myGovID credentials between the fake and legitimate sites, Teague told iTnews the attacker could automate the entire process.

"You can see a small delay in the video because I was doing it manually - there’s no reason for a perceptible delay in an automated system, nor any reason that one actor couldn’t perform multiple attacks simultaneously on different victims," she said.

ATO won't change protocol

The attack relies on what Frengley and Teague say is a crucial design flaw in the myGovID app that omits to tell victims the name of the site that is asking for authentication.

Without that knowledge, victims may be tricked, the researchers said.

Confusingly, Teague explained to iTnews that in a different mode, the authentication code can also be displayed on both the website and the myGovID app, with no user entry required.

"The user just has to accept - I assume they're supposed to check that the two codes are the same," Teague said.

"It doesn't make any difference to the attack: the code can be replayed either way," she added.

The researchers alerted the Australian Signals Directorate (ASD) on August 19, and proposed a 90-day responsible disclosure period as is common in the information security industry to give ATO time to fix the vulnerability.

ASD communicated this to the ATO, which met with Frengley and Teague on September 18.

In the meeting, ATO told the researchers that it did not intend to change the protocol, after which Frengley and Teague told the government tax agency they would warn users this Monday.

Frengley and Teague believe the implementation of myGovID authentication - that means users only enter their passwords or four-digit codes into the apps and not elsewhere - is a noble goal aimed at thwarting the most obvious attacks on traditional, password-based information flows.

In doing so, the researchers say it introduces another problem, however.

"The main reason this is worse than the standard redirect-to-fake-login-site attack is that the information flow is so counter-intuitive and non-standard that users are much less likely to notice - we all know we are not supposed to enter credentials into websites we do not trust, but we have no intuition about whether we are supposed to enter a number from a website we semi-trust into an app we trust," Frengley and Teague wrote.

"Also none of the browser-based defences against the redirect-to-fake-login attack would work against this attack."

The ATO has been contacted by iTnews for additional comment.

As it is difficult for users to follow the protocol devised by ATO for myGovID, Frengley and Teague say it's easy to miss that the login request should come from https://mygovid.gov.au only.

To protect themselves, Frengley and Teague advise users never to enter, or accept, a four-digit code in the myGovID app, unless it's from https://mygovid.gov.au.

However, Teague said that "most users, I think, should avoid using the myGovID system until this problem is corrected because it's a serious problem that's hard to spot."

The government should also immediately update the myGovID app to display which site is requesting the authentication.

In the long term, Frengley and Teague suggest that the Trusted Identity Framework (TDIF) should be dropped and replaced by an open standard such as OpenID Connect, or another like the ones used in Belgium and Estonia.