PostBus has resolved a serious data exposure vulnerability in one of its online Swiss public transport platforms.
ZFT cybersecurity researchers Sven Faßbender, Martin Tschirsich, and Dr André Zilch conducted a penetration test on the Ticketcontrol.ch platform, operated by PostBus, a subsidiary of ÖBB-Personenverkehrs AG.
TicketControl is an online service used to manage fare dodging in Switzerland. The platform has been designed to identify people who continually avoid paying their way on public transport by connecting to a national register. Passengers are also able to upload proof they had valid tickets at the time an offense was recorded.
‘Obvious deficiency’
ZFT researchers say the penetration test revealed the compromise of confidential, centrally stored data through “an obvious deficiency”, an insecure direct object reference (IDOR) vulnerability.
IDOR vulnerabilities are access control security issues that arise when an application has the capability to use user-supplied input to influence objects directly, including database objects and static files.
If exploited, IDOR flaws may be able to bypass access controls, steal or leak data, or modify other resources.
According to the report (PDF, translated), a lack of access control on a Ticketcontrol path allowed external, unauthenticated attackers to load resources such as crafted JavaScript code or malicious image files via an HTTP GET request and a numeric identifier.
In theory, this allowed attackers to pull customer data from the platform.
“People who used the train or bus without a valid ticket had to upload documents that contained personal information in the affected application,” Faßbender told The Daily Swig.
“By utilizing the IDOR vulnerability an attacker was able to download those documents. An attacker could use those documents to impersonate the victims or mount further attacks such as stalking or phishing attempts.”
Raising the ticket
The vulnerability was privately reported to PostBus AG, the Federal Data Protection Commissioner (FDPIC), and the National Center for Cyber Security (NCSC) on January 21, 2022.
PostBus confirmed the vulnerability and “immediately remedied” the flaw, according to ZFT.
Local media outlet SRF reports that 1,776 exposed datasets were deleted following remediation. The operator said it “very much regret[s] this error and apologize[s] to the customers whose data we have not adequately protected”.
The research team recommends that on such portals, server-side authorization checks are implemented before requests are processed, and when authorization systems are in use, the least-privilege principle should be applied.
The Daily Swig has reached out to PostBus with additional queries and we will update this story if and when we hear back.