SG Government Site A - security loophole that allows hackers to send malicious emails to users under the name of the Site.
This incident had been reported and the vulnerability has been closed.
This vulnerability is deemed as high risk to the general public.
This is because hackers can make use of the SG Govt site, without any authentication, to send malicious emails to infect trusting citizens using the SG Govt identity.
If you trace the email headers, they will be found to be legitimately sent from the SG Govt site, with no indication that a hacker may have sent it.
I believe most SG citizens will not be suspicious or be on guard on when they receive official emails from the SG Govt.
For the technical folks, the main cause of this vulnerability is the use of HTML hidden form fields to submit the content of the email, as seen in SGGovt-Site-A-Page-Source.png. As the email is sent in HTML format, hackers can potentially send a malicious email with links, invisible iframes or javascript to trick recipients to download & install malware.
This attack is called parameter tampering. Won't be describing this technique in details here, but I am always game to talk over beer. :-)
SGGovt-Site-A-Get Email Address.png shows the unauthenticated page where you can submit an email address to send the malicious email to. SGGovt-Site-A-Email Confirmation.png shows the acceptance and confirmation of the malicious email.
This vulnerability is deemed as high risk to the general public.
This is because hackers can make use of the SG Govt site, without any authentication, to send malicious emails to infect trusting citizens using the SG Govt identity.
If you trace the email headers, they will be found to be legitimately sent from the SG Govt site, with no indication that a hacker may have sent it.
I believe most SG citizens will not be suspicious or be on guard on when they receive official emails from the SG Govt.
For the technical folks, the main cause of this vulnerability is the use of HTML hidden form fields to submit the content of the email, as seen in SGGovt-Site-A-Page-Source.png. As the email is sent in HTML format, hackers can potentially send a malicious email with links, invisible iframes or javascript to trick recipients to download & install malware.
This attack is called parameter tampering. Won't be describing this technique in details here, but I am always game to talk over beer. :-)
SGGovt-Site-A-Get Email Address.png shows the unauthenticated page where you can submit an email address to send the malicious email to. SGGovt-Site-A-Email Confirmation.png shows the acceptance and confirmation of the malicious email.
- Attachments:
Replies to This Discussion
-
Permalink Reply by Brandon Yu Guan Hui on -
Wow, even though I am new to the security scene, I had no idea that such simple vulnerabilities are still about, especially in governmental sites.
-
Permalink Reply by Johnny Wong on
-
Hello Onn Chee,
How did you chance upon this? Did you intentionally inspect the HTML or otherwise.
-
Permalink Reply by Wong Onn Chee on
-
All I can say is that I discover the vulnerability when I was using the e-service from the Govt portal.
Saw some tell-tale signs from the workflow of the whole transaction.
I think we, as in Singaporeans, are lucky this hole was not exploited by malicious hackers.
If not, I am pretty sure lots of Singaporeans can be tricked by a genuine SG Govt email to install malware.
© 2010 Created by Because i Matter.
Powered by 
.
