Problem
CompSec Direct recently became aware of an information disclosure problem with the https://unired.ramajudicial.pr/lawyernotificationauthentication/ application used by the judicial branch of the Puerto Rico government. The application uses a weak sequential ID string that is provided to attorneys and clients in order to view sensitive legal documents. Manipulating the ID string with simple math, similar to the overturned conviction in the case United States v. Andrew Auernheimer, where the appeals court ruled that using an incremental integer to separate records and determining such is not a penetration of systems nor a hack for that matter leads to the exposure of all documents provided by this web-application.
Example
https://unired.ramajudicial.pr/lawyernotificationauthentication/?di=XXXXXX
Where X is a 6 number Document ID, hence di. We have chosen not to directly link to any valid documents in order to minimize information disclosure.
Proofing
We created a simple application to find working documents. By evaluating HTTP 200 response codes and download output, we identified
20,065 number of valid documents retrieved out of a test sample of 70,000 requests.
Code Proof
#!/bin/bash START=XXXXXX END=XXXXXX for i in $(seq $START $END); do curl -s -o “Document-ID-$i” -w “%{http_code}” “https://unired.ramajudicial.pr/lawyernotificationauthentication/?di=$i”; done
Contents of documents
- ASUME related notices
- Contempt of court rulings
- Proceedings involving minors
- Other sensitive legal actions against citizens of Puerto Rico
Why did this happen?
We consider the governments effort to modernize public offerings in relation to the benefits achieved by making court documents more accessible to the involved parties as a main driver for this application. Since it is difficult to maintain a user-registration portal that effectively links involved parties to correct documents, the developers of this solution may have been provided requirements that did not address this and thus this may be the result. However, if the government of Puerto Rico can centralize all citizen accounts across all government e-portals, perhaps this is feasible given the desired e-Government objectives of the current administration.
Recommended Solution
Like many other web-application security problems, this can be easily solved by:
- Easiest: Using a random document ID, perhaps a random sha1 string.
- Better: Encrypting the PDF’s presented on the site with a password either known or divulged to parties.
- Best: Combined e-government accounts as described above.
Notification Timeline
We used the Whois contact for the ramajudicial.pr domain and emailed the POC for the domain on May 30,2017 seeking information on the responsible vendor and security staff responsible for the application.
Sought POC from PR CIO. Provided contents and materials between June 1 and June 2, 2017 to Judicial Branch CISO. POC asked for examples of cases involving minors; proof’s provided.
Sought additional POC that approved order for e-Notification system on June 2, 2017. POC shared concerns expressed by CompSec Direct.
Extending release time 3 days on June 5, 2017
No further response. Organization representatives believes all information hosted is public.
June 12, 2017: public notification.
June 20, 2017: Other government PoC’s working on the problem due to cases involving minors.
How can this be avoided in the future?
Web-application security testing is often not a priority for the organizations that develop these systems. This seems to be a design problem that could have been easily identified during a review phase by knowledgeable individuals as opposed to an outsourced code-review requiring additional funding. Future and current modernization projects should seek expert help using:
- the local talent in Puerto Rico
- 3rd parties that primarily focus on security services
- Requiring vendors to provide proof of security validation performed within reasonable limits.