Canada’s government was in an uproar after a citizen found that when applying online for a passport he could easily access other people’s passport applications.
Jamie Laning, an IT worker at a Algonquin Automotive in Huntsville, Ontario, told eWEEK that on Nov. 29 he was applying online for a passport to travel to the United States when he found that by tinkering with the URL during Passport Canada‘s online registration process, he could flip back and see the application of whoever had been on the site immediately before him.
Laning merely changed a letter in the browser’s URL, flipping back from “M” to “L.” Laning found that he could access data, which included social insurance numbers, dates of birth, driver’s license numbers and addresses of people applying for passports.
According to the Toronto daily newspaper The Globe and Mail, other information included in the applications are home and business phone numbers, a federal ID card number, and firearms license numbers.
“It was way too easy,” Laning told eWEEK, and his tinkering was by no means random. “I got to part five and didn’t have all the information I needed. I needed a few references, and I didn’t have their addresses. So I sent an e-mail to a reference, and while I was waiting for a reply, I looked at the address bar, and I saw my record ID sitting in there. I thought, ‘What if I changed it?’ I just took off the M and put on an L, the letter for the guy before me in line, and boom! His information showed up on the screen.”
Passport Canada did not respond to eWEEK’s calls by the time this story posted, but government officials did tell The Globe and Mail on Dec. 5 that the problem had been fixed.
A Passport Canada spokesman told the Toronto news outlet that the problem—which he called an “isolated anomaly”—was repaired on Friday. Yet after the site resumed operation on the afternoon of Dec. 4, The Globe and Mail found that a few keystrokes were still all that was needed to reveal passport applicants’ names, addresses, phone numbers of references and emergency contacts.
The Globe and Mail went on to contact a Brampton resident whose personal information was accessed by Laning. Jason Marsden told the publication that he was “totally surprised” to learn that his personal information was so readily available.
“If you read the disclaimer on the website, it’s supposed to use high-tech security,” Marsden said in an interview with The Globe and Mail. “You’d think it wouldn’t be that bloody simple.”
In fact, in the past two weeks, it has been bloody simple to find incidents of data breaches throughout the British Commonwealth. The British government disclosed on Nov. 20 the loss of confidential details of 25 million child benefit recipients that had been stored on two computer disks. Canada itself lost intimate medical data including HIV and hepatitis test results for an undetermined number of citizens in a recent security breach, the government of Newfoundland and Labrador admitted Nov. 26.
Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.