Unveiling Vulnerabilities: A Journey from Ethical Hacking to Protecting Government Systems
I’m Dejaun, I’m a Security Consultant, Engineer, Researcher and everything in-between for Telefonica Tech UK&I. I have a big focus on enabling security excellence to customers through security delivery, managed services, security services and advisory.
I was recently invited to the UK NCSC HQ in London to be awarded a medal for my contributions to the NCSC VDP and to present my findings to the NCSC, Cabinet Office, Government organisations, NCC, HackerOne and other security researchers.
The majority of my work focuses on the public sector, which is of huge interest to me, not only due to the critical nature of security protection and prevention but simply because protecting public sector businesses has a positive impact on all of our lives, saving the healthcare and national security from external cyber-attacks really is something to be proud of.
But this is not why I’m writing this. Because of the work I do in my 9-5 for public sector and critical national infrastructure customers, I feel like I’d be doing myself and our security teams an injustice if I did not try to assist in protecting the UK Government outside of work as well. Which is where the NCSC VDP (Vulnerability Disclosure Programme) comes into play.
I’ve been ‘ethically hacking’ since I first was introduced to network security back at college where I started to sending phishing campaigns to my brothers to get into their Facebook accounts. So, it was only a matter of time before I stumbled across paid Bug Bounty platforms where security researchers can hack ethically and get paid for vulnerabilities. I started here, but it just didn’t hit the spot, finding a vulnerability is a good feeling, but it’s nothing compared to finding a vulnerability which could impact your way of living and everyone around you.
This is where I stumbled across the UK National Cyber Security Centre’s Vulnerability Disclosure Programme. It’s a program which allows for researchers to submit vulnerabilities and findings from gov.uk domains, to which the UK Government fixes these before the bad guys found out about it. A pivotal part of security, is finding these before the threat actors do!
For the NCSC VDP, I focus my priorities on testing web applications where user interaction is key – any website that is designed for the general public to use. In this case, I focussed on a particular local authorities’ resident portal.
The resident portal allowed residents of this particular area to pay for parking permits via the portal allowing them to book in advance and ensure they don’t get a fixed penalty charge or their car towed away.
A very good idea indeed, except I noticed the amount of the parking permit – which was £25 per week, was able to be tampered with and could be changed to any value. With this, I of course changed this to £1 to see if this would work and go through to my bank. It did.
With this information, I then changed the expiry date of the permit to the year 2030. £25 per week, till the year 2030, it bought back a total of £9650! So of course, I tampered the request and changed this to £1. Lo and behold, it went through to my bank as £1.
I didn’t stop there though.
I mentioned, I could change the expiry date, there was no limit on the expiration date of the permit. So of course, I changed it to the year 3000.
£25 per week, the year 3000, this cost £3,884,826.00.
Well, it actually cost £1.
The way I understand how these systems work, especially within local authorities, is that the payment and service is made via the portal, it’s then noted down on some back end system and done all by computers, I wasn’t optimistic that all parking permits are individually checked by a human and therefore, when the council goes to do their finances for the year, they would technically be down £3.8m!
The issue here is down to enabling customer excellence and user experience, it’s an often theme among web applications nowadays, better user interfaces can come at a cost…literally! To remediate issues such as this, which is a type of Business Logic Error/Flaw is to ensure thorough input validation throughout the application, ensure that when the client sends a request, the server knows what to expect, and if there’s any change, then deny it. In this instance, there was no validation so anything could be sent over.
If you wish to find out if your web application is costing you more money than it’s making, and to ensure it’s secure while maintaining user experience, then please get in touch with us by emailing Security.Delivery@telefonicatech.uk or get in contact here: https://telefonicatech.uk/contact/