iTnews

Researchers say not to use myGovID until login flaw is fixed

By Juha Saarinen on Sep 21, 2020 11:52AM
Researchers say not to use myGovID until login flaw is fixed

ATO declines to change protocol.

Two security researchers are warning Australians not to use myGovID as they say the login system contains an implementation flaw that could lead to attackers gaining full access to their accounts.

Masters student Ben Frengley and adjunct professor Vanessa Teague created a threat scenario in which an attacker sets up sites that they control and asks users to log into them with myGovID.

In the scenario, the attacker captures the email address of the user and then immediately uses it to try to log into an official government portal.

The official portal displays a 4-digit PIN that the attacker then relays back to the user via the controlled site. 

When the user types that PIN into their smartphone, they can be displayed a "login successful" message on the fake site - while unknowingly granting the attacker full access to their accounts in the legitimate government portal.

While the proof-of-concept in the video shows the attacker manually sitting in the background retyping and relaying the myGovID credentials between the fake and legitimate sites, Teague told iTnews the attacker could automate the entire process.

"You can see a small delay in the video because I was doing it manually - there’s no reason for a perceptible delay in an automated system, nor any reason that one actor couldn’t perform multiple attacks simultaneously on different victims," she said.

ATO won't change protocol

The attack relies on what Frengley and Teague say is a crucial design flaw in the myGovID app that omits to tell victims the name of the site that is asking for authentication.

Without that knowledge, victims may be tricked, the researchers said.

Confusingly, Teague explained to iTnews that in a different mode, the authentication code can also be displayed on both the website and the myGovID app, with no user entry required.

"The user just has to accept - I assume they're supposed to check that the two codes are the same," Teague said.

"It doesn't make any difference to the attack: the code can be replayed either way," she added.

The researchers alerted the Australian Signals Directorate (ASD) on August 19, and proposed a 90-day responsible disclosure period as is common in the information security industry to give ATO time to fix the vulnerability.

ASD communicated this to the ATO, which met with Frengley and Teague on September 18.

In the meeting, ATO told the researchers that it did not intend to change the protocol, after which Frengley and Teague told the government tax agency they would warn users this Monday.

Frengley and Teague believe the implementation of myGovID authentication - that means users only enter their passwords or four-digit codes into the apps and not elsewhere - is a noble goal aimed at thwarting the most obvious attacks on traditional, password-based information flows.

In doing so, the researchers say it introduces another problem, however.

"The main reason this is worse than the standard redirect-to-fake-login-site attack is that the information flow is so counter-intuitive and non-standard that users are much less likely to notice - we all know we are not supposed to enter credentials into websites we do not trust, but we have no intuition about whether we are supposed to enter a number from a website we semi-trust into an app we trust," Frengley and Teague wrote.

"Also none of the browser-based defences against the redirect-to-fake-login attack would work against this attack."

The ATO has been contacted by iTnews for additional comment.

As it is difficult for users to follow the protocol devised by ATO for myGovID, Frengley and Teague say it's easy to miss that the login request should come from https://mygovid.gov.au only.

To protect themselves, Frengley and Teague advise users never to enter, or accept, a four-digit code in the myGovID app, unless it's from https://mygovid.gov.au.

However, Teague said that "most users, I think, should avoid using the myGovID system until this problem is corrected because it's a serious problem that's hard to spot."

The government should also immediately update the myGovID app to display which site is requesting the authentication.

In the long term, Frengley and Teague suggest that the Trusted Identity Framework (TDIF) should be dropped and replaced by an open standard such as OpenID Connect, or another like the ones used in Belgium and Estonia.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
atoben frengleymygovidopenidrod teaguesecurityvanessa teagueyaakov smith

Partner Content

Don't miss Australia’s premiere IoT Conference on 9th June
Promoted Content Don't miss Australia’s premiere IoT Conference on 9th June
5 essential digital transformation ideas
Promoted Content 5 essential digital transformation ideas
Security "mindset shift" needed to protect organisations
Promoted Content Security "mindset shift" needed to protect organisations
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content Avoiding CAPEX by making on-premise IT more cloud-like

Sponsored Whitepapers

Planning before the breach: You can’t protect what you can’t see
Planning before the breach: You can’t protect what you can’t see
Beyond FTP: Securing and Managing File Transfers
Beyond FTP: Securing and Managing File Transfers
NextGen Security Operations: A Roadmap for the Future
NextGen Security Operations: A Roadmap for the Future
Video: Watch Juniper talk about its Aston Martin partnership
Video: Watch Juniper talk about its Aston Martin partnership
Don’t pay the ransom: A three-step guide to ransomware protection
Don’t pay the ransom: A three-step guide to ransomware protection

Events

  • 11th Annual Fraud Prevention Summit 2022
  • iTnews Benchmark Awards 2022 - Finalist Showcase
  • IoT Impact Conference
  • Cyber Security for Government Summit
By Juha Saarinen
Sep 21 2020
11:52AM
0 Comments

Related Articles

  • Accenture's ATO digital ID work bill quadruples to $54 million
  • ATO taps iProov for myGovID face verification
  • Tens of thousands locked out of ATO Online accounts after payroll hack
  • Digital ID finally comes to myGov
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co's 250Mbps and gigabit growth is finally clear

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co sizes up six-figure customer exodus a year to fixed wireless

NBN Co to cut 160 applications under $200m IT simplification

NBN Co to cut 160 applications under $200m IT simplification

What to expect from the incoming Labor government

What to expect from the incoming Labor government

Digital Nation

CTO Juergen Mueller offers a glimpse into SAP's metaverse play
CTO Juergen Mueller offers a glimpse into SAP's metaverse play
Lendlease launches its own metaverse in Milan
Lendlease launches its own metaverse in Milan
COVER STORY: A Year in the Metaverse
COVER STORY: A Year in the Metaverse
COVER STORY: Data and IoT set digital agriculture on a sustainable future
COVER STORY: Data and IoT set digital agriculture on a sustainable future
Why do DeFi and DAOs matter to business?
Why do DeFi and DAOs matter to business?
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.