Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Vulnerability in PostBus public transport platform exposed customer data

PostBus has resolved a serious data exposure vulnerability in one of its online Swiss public transport platforms.

ZFT cybersecurity researchers Sven Faßbender, Martin Tschirsich, and Dr André Zilch conducted a penetration test on the Ticketcontrol.ch platform, operated by PostBus, a subsidiary of ÖBB-Personenverkehrs AG.

TicketControl is an online service used to manage fare dodging in Switzerland. The platform has been designed to identify people who continually avoid paying their way on public transport by connecting to a national register. Passengers are also able to upload proof they had valid tickets at the time an offense was recorded.

‘Obvious deficiency’

ZFT researchers say the penetration test revealed the compromise of confidential, centrally stored data through “an obvious deficiency”, an insecure direct object reference (IDOR) vulnerability.

IDOR vulnerabilities are access control security issues that arise when an application has the capability to use user-supplied input to influence objects directly, including database objects and static files.

If exploited, IDOR flaws may be able to bypass access controls, steal or leak data, or modify other resources.

According to the report (PDF, translated), a lack of access control on a Ticketcontrol path allowed external, unauthenticated attackers to load resources such as crafted JavaScript code or malicious image files via an HTTP GET request and a numeric identifier.

In theory, this allowed attackers to pull customer data from the platform.

“People who used the train or bus without a valid ticket had to upload documents that contained personal information in the affected application,” Faßbender told The Daily Swig.

“By utilizing the IDOR vulnerability an attacker was able to download those documents. An attacker could use those documents to impersonate the victims or mount further attacks such as stalking or phishing attempts.”

Raising the ticket

The vulnerability was privately reported to PostBus AG, the Federal Data Protection Commissioner (FDPIC), and the National Center for Cyber ​​Security (NCSC) on January 21, 2022.

PostBus confirmed the vulnerability and “immediately remedied” the flaw, according to ZFT.

Local media outlet SRF reports that 1,776 exposed datasets were deleted following remediation. The operator said it “very much regret[s] this error and apologize[s] to the customers whose data we have not adequately protected”.

The research team recommends that on such portals, server-side authorization checks are implemented before requests are processed, and when authorization systems are in use, the least-privilege principle should be applied.

The Daily Swig has reached out to PostBus with additional queries and we will update this story if and when we hear back.

Advertisement. Scroll to continue reading.

Source: https://portswigger.net/daily-swig/vulnerability-in-postbus-public-transport-platform-exposed-customer-data

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

All appointments for Swiss (Schengen) tourist and transit visas have been cancelled across the UK. TLScontact, the Swiss government’s chosen IT provider for facilitating visa applicants...

Cyber Security

Researchers at the RWTH Aachen University in Germany published a study revealing that tens of thousands of container images hosted on Docker Hub contain...

Cyber Security

Mondelez Global LLC, the parent company of Oreo cookies and other major food products have released a notice stating that Oreo cookie maker Hacked,...

Cyber Security

airBaltic, Latvia’s flag carrier has acknowledged that a ‘technical error’ exposed reservation details of some of its passengers to other airBaltic passengers. Passengers also reported...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO