Medway Council reforms eforms to stop blurting out residents’ details jstashbazarch, jstash-bazarbz

Institute For Ethical Hacking Course  and  Ethical Hacking Training in Pune – India
Extreme Hacking  |  Sadik Shaikh  |  Cyber Suraksha Abhiyan
Credits: The Register
Medway council in Kent has corked a hole in its website that spat out residents’ names, mailing addresses, phone numbers and email addresses after a Reg reader got in touch to complain.
The breach appeared courtesy of some of Medway Council’s electronic forms.
The council’s eforms were conceived during a collaboration of several bodies across Kent – the Kent Channel Migration Project – which looked at “ways to encourage more use of digital technologies within high-volume local government services.”
But according to this cached report (PDF), the launch was held back due to some “very clear flaws” – although they were in “usability and design” rather than, say, insecure object reference bugs or other security issues.
In April, the council announced on its Facebook page that eforms were going to be made “easier” for residents to use.
El Reg understands that at least a subset of these were configured with enumerable parameters and – by the looks of things – even allowed visitors write access. By changing a few digits in a URL on the relevant subdomain, our reader was able to access strangers’ personal data and we were easily able to reproduce the problem last week.
Council devs, who we understand maintain the forms, were very responsive, fixing the eforms config problem within two days of The Regalerting them to the issue.
A Medway Council spokesperson said: “We immediately removed the potentially affected forms from our website when we became aware of the potential issue. We have carried out an initial review of the matter and have found that just one form was affected in certain circumstances. We have provided an initial report to the Information Commissioner’s Office. We have also taken action to fully resolve the technical issue with the form to avoid this happening again. We take all steps to ensure personal data is protected.”
Independent security researcher Paul Moore told The Reg: “The fact this bug made it to production demonstrates that developers may not have a sound understanding of secure development practices and also brings into question their QA/security testing procedures; this type of so-called low-hanging fruit bug should be identified with the most rudimentary of tests. However, with council budgets squeezed almost to the point of bankruptcy, it’s hardly surprising.”
It’s not the council’s first time at the data protection rodeo. Just two years ago, in 2017, the local authority was rapped for not complying with an order by the Information Commissioner’s Office to keep on track with its data protection training (PDF), which itself was given during a 2015 audit. That same year, privacy watchdog Big Brother Watch found eight breaches of the Data Protection Act had taken place over the previous three years.
The council has since complied with the order, the ICO confirmed to The Reg.
Back in 2014, the council said its Twitter feed had been taken over by an individual or individuals calling themselves the “citizens of Medway” – announcing, among other things, that council tax had been cancelled.
It is not known how many residents actually used the electronic forms, but El Reg saw many of them.
The Medway Council area – which encompasses Rochester, Chatham, and Gillingham – is home to about 277,616 people, according to the most recent figures from the Office of National Statistics. Points of interest include the Chatham naval dockyard and the Norman Rochester castle; part of it was insanely torn down in the late 1870s to make way for municipal gardens, but it is mostly well-preserved. Megalith hunters should also note there are not one, not two, but six early Neolithic long barrows in the area, the most impressive of which is “Kit’s Coty House” in Aylesford, which sports three large uprights and a massive capstone, with a smaller burial chamber nearby topped with a pile of toppled sarsens.
If you fancy doing something a little closer to the 21st century’s Noughties – rather than the c 4000BC-3000BC noughties – Craig David will be performing at Rochester Castle this week.
In the immortal words of David: “She asked me for the time… I said it’d cost her name. A six-digit number and a date with me the ICO tomorrow at nine…”
The Reg responsibly disclosed the data leak to Medway Council and the ICO last week and waited until it was fixed to publish this story.
jstashbazarch jstash-bazarbz