c’t reveals: security vulnerability at the Lower Saxony Ministry of Culture


When it comes to open data, many German authorities still have some catching up to do. The Lower Saxony Ministry of Science and Culture (MWK) has unwantedly advanced – numerous applications for funding were almost unprotected. And with it also names, addresses, ID copies, bank details and much more. The portal for “online application procedures” was affected, on which artists, associations and museums can apply for funding or scholarships. The operators apparently committed a fatal mistake that all too often leads to a data disaster.

More from c't magazine

More from c't magazine

You didn’t have to be a gifted hacker to retrieve the sensitive data of the applicants: it was enough to create an account and change an ID number in the URL. The affected URL parameter had the unique name “User ID”, its content was a three-digit number combination – an invitation for data thieves. If you have changed the specified number, the server delivered the sensitive data of an applicant free of charge.

c't reveals: security vulnerability at the Lower Saxony Ministry of Culture

Many c’t investigative searches are only possible thanks to anonymous information from whistleblowers.

If you are aware of a grievance that the public should know about, you can send us information and material. Please use our anonymous and secure mailbox for this.

It would almost certainly have been possible to change the data stored there, for example the bank details to which the payment should be made – but we have not tried this.

Our reader, Falk Rismansanj, set the ball rolling, who out of curiosity changed the URL parameter and could hardly believe the terrifying result. He then informed c’t and heise Security.

After verifying the problem, we contacted the ministry. This reacted promptly and switched off the service on the same day. It tried to limit the damage and now wants to have the application process “checked by external experts”, Heinke Traeger from MWK told c’t and heise Security. That should have been done before the start-up, because now the child has fallen into the well. The data collected is extensive and valuable – especially for cyber crooks, who often misuse such data for years and years after the actual incident for fraud of all kinds.

It is particularly annoying how easy the MWK has made it possible for potential data thieves to use the sensitive data of the applicants. By simply counting IDs in URL parameters, a number of websites have been “hacked” in recent years, if you would like to call it that. Manipulating URL parameters is one of the first things that someone who is interested in the security of a website tries out – regardless of the motivation. As an operator, you should never rely on the fact that an ID will not be guessed. Especially not if it is only three digits long.

A possible protective measure is the use of long, random IDs, e.g. F0E822D5DB2484112879B9D4983428F4 instead of 123. The probability that a data collector will guess such a random code is negligible. In the case of short IDs, the server must check whether the logged-in user is authorized to access application 123.

The ministry told c’t and heise Security that it has reported the incident to the responsible data protection officer in accordance with the GDPR and also wants to inform all applicants concerned about the incident. According to the MWK, the case apparently turned out lightly, a double-digit number of accounts was affected. When this article was written, the online application process was not yet online again. Anyone wishing to apply for funding must pick up the telephone receiver until further notice.

This entry is from c’t 17/2020.


To home page