Critical vulnerability in PH National ID System fixed


A data privacy leak of massive proportion that could potentially put to shame the COMELeak, LTO, AFP, and all other local breaches put together was waiting to happen as PhilSys was about to put online the registration for the country's National ID System.

This week, the Philippine Statistics Authority, the agency responsible for the Philippine Identification System or PhilSys, announced the online registration for the National ID System. Philsys aims to establish a single national identification system for all citizens and resident foreigners of the country.

The Philippine Identification System or PhilSys is the government’s central identification platform for all Filipino citizens and resident aliens of the Philippines. (Photo from https://atom.hackstreetboys.ph/)

To ensure the system's smooth operation, PhilSys put up a User Acceptance Testing environment or UAT. It is a production-like setup, a final step before making the system available to the public.

When Secuna co-founder AJ Dumanhug noticed the PSA announcement, he immediately checked the PhilSys subdomains for possible security problems that could arise when the system is up for public use.

"As a security researcher and concerned data subject, I quickly checked the available subdomains of philsys.gov.ph using an online website and discovered the subdomain named register.philsys.gov.ph," Dumanhug said in his post.

Using the information from previous vulnerabilities he reported and promptly fixed by PhilSys, he found out that there is a new critical vulnerability in the final phase of the testing environment of the National ID System. By merely checking passively, he found out sensitive information that could be exposed if not fixed immediately.

The PhilID is a valid proof of identity that can be used to transact with the government and private sector. It is a non-transferable card issued upon successful registration to the PhilSys.

"I discovered some domains, IP addresses, Database IP, ports used, GitHub repository link, and other information. I also found sensitive information such as secret keys and passwords. The worst is that I found critical information that malicious individuals could exploit, such as authorization token of users who registered for PhilSys, their IP address, the system's IP address, cookies, and user's PhilSys registration ID." AJ Dumanhug said in an interview with MB Technews.

"The latest vulnerability could allow malicious users to access sensitive system information and retriever personally identifiable information of PhilSys users," he added. Since PhilSys aims to give all citizens and resident aliens a national ID, the potential of the data breach victims, if not fixed, could be millions.

AJ Dumanhug then informed PhilSys about his findings, and PhilSys immediately fixed the vulnerability. We could now expect a more secure PhilSys system once people start to register online.

AJ Dumanhug, Secuna co-founder and one of the country's top cybersecurity practitioners, once again proves that private companies and government agencies would benefit more if they would have responsible disclosure programs. It is a process that allows security researchers to report to the company or agency found vulnerabilities in their systems, networks, or services.

Here are some of his recommendation to PhilSys:

1) Change the secret keys and password 2) Check for sensitive folders and files or open services and remove or close them before deploying online.

AJ Dumanhug was also responsible for exposing unauthorized access of malicious users to the LTO's database. While LTO denied a breach and that the data are unnecessary, the National Privacy Commission investigated the agency for the leak and ordered the internet service providers to take down the website that collects information from the LTO database.