gov.uk security stupidity nothing new

Those of you who have been following the comments to my earlier blog posting (Please Use Firefox 2 or IE 6) or my Twitter tweets might be interested in an item I wrote for my newsletter Tales from the Terminal Room, July 2002. Entitled “Inland Revenue’s Cookies Fail Crunch Test” – sorry about the awful pun – it suggests that gov.uk seems to have learned little about security over the last 7 years:

In the UK, it is that time of year when we suddenly realise that we have only a few weeks to complete our tax forms and deliver them to the Inland Revenue. I, says she rather smugly, have already done mine but not online as the UK government continually exhorts us to do. I did have a go last year but the Web site kept crashing and after four attempts I reverted to the good old-fashioned paper form. This year I did not even consider the online route, which is just as well because the service had to be temporarily withdrawn following a security breach.

A problem with cookies allowed users of Inland Revenue’s online self-assessment tax form to see other people’s tax details. An official statement explained: “The way in which the ‘session cookie’ identifying the user was managed meant that it could, in certain rare circumstances, be presented to another user.”

It seems that Inland Revenue’s site allocated the same cookie to more than one user because they were using IP addresses to identify users. Many Internet users, and especially those accessing the Internet from home, use ISPs with dynamic IP addressing: that is the ISP allocates a different IP address to a user each time they access the Net, which means that the same IP address may be assigned to several different users in quick succession.

The Inland Revenue said that examination of activity logs suggested that the web site had compromised the privacy of 47 of the site’s 28,679 users and there were 665 for whom the possibility could not be eliminated.

The problem has now been fixed and the site is back up and running, but I for one am not reassured.

For the Inland Revenue’s side of the story see: http://www.inlandrevenue.gov.uk/news/sa_online.htm

Inevitably, the URL in the final sentence no longer works but you can still view a copy at http://www.archive.org/.  Copy and paste the whole URL into the Waybackmachine Take Me Back box, and on the list of results click on August 2002.  Alternatively, http://web.archive.org/web/20020804140436/http://www.inlandrevenue.gov.uk/news/sa_online.htm should take you straight there.