A vulnerability on Australian National Disability Insurance Scheme (NDIS) website could’ve allowed attackers to create their own web pages on the government site. The vulnerability was quickly fixed once it was disclosed to the agency and technology provider Form.IO.
The vulnerability was discovered after a question to a Facebook disability support group about a strange SMS that a person had received.
Of course it is always good to be suspicious of messages asking you to click on a link. Just because a message contains personal information, such as in this case, it is not a good enough reason to trust a link.
In this case the URL in the SMS refers to an Australian Government website, which is a reasonable indication that this is a legitimate message, however it is still wise to be wary of links because links in some messages and emails can take a person to a completely different site than the text would indicate.
For me however, I only had the image, so I typed in the URL, fairly confident that it was not malicious because it was a .gov.au (Australian government) domain. I wanted to confirm that it was safe, before responding to this query with any advice.
https://myform.apps.ndia.gov.au/?src=https://forms.apps.ndia.gov.au/ jpgbthlbzkn****/iasms&org=ndis&theme=ndis&smsid=*****
This URL goes to a fairly standard looking web form asking for details from the individual. Nothing unusual there. One of the strange things about this URL however is that is actually two URLs. Part way through the URL there is a ?src= followed by a second URL. I wonder how this works and if I can make it do something else. I try changing the URL a bit to see what happens. First I try…
https://myform.apps.ndia.gov.au/?src=https://google.com/
I get a screen that looks like it is loading, but nothing happens. Next I just try going to the original domain without the ?src=etc.
https://myform.apps.ndia.gov.au/
This takes me to a page that asks for a “Form Embed URL”.
This tells me who the creator of this form application is. Form.IO. I have a look at their website and find that they offer many things including simple to use forms for websites.
At this point I try several options in this form.
https://google.com — This fails. I again get to a page that looks like it is loading, but nothing further happens.
https://forms.apps.ndia.gov.au/jpgbthlbzkn****/iasms&org=ndis&theme=ndis&smsid=***** — This is the second half of the original URL. And I am taken back to the original form.
https://examples.form.io/example — This works. I get a sample form from Form.IO. I can also embed this in the original URL and get the same result
https://myform.apps.ndia.gov.au/?src=https://examples.form.io/example
So now we have a URL from a government website, but the content is coming from somewhere else. What if we could create our own form and insert it in the URL. Could we create a form and access it via a Government website URL. Spoiler alert — I could.
So the next step was to find out what was in the source, in that second URL. Here is what https://examples.form.io/example looks like.
This is JSON data — a particular format of data that is used quite extensively within websites (and in many other technologies). If you look closely you will see all of the text that is on the example form along with other information about how the form should look. But I cannot edit this information, so I can’t change the form. I want to be able to set up my own form and insert it into the URL.
My first attempt at this was to set up my own webpage with the exact same data in it. Once I have done this, I can start to adjust the data and see what happens to the form.
Unfortunately this attempt failed. I set up a page that returned exactly the same data as https://examples.form.io/example. When I embedded this new URL into the original, I got the loading page that never loaded. A little symbol in the middle of the browser screen spinning to give the impression that something is happening but nothing actually does.
My second attempt was more successful. I found that Form.IO offers a free 7 day trial of their system. I could create my own form in a free account. The only question was — could I then embed that form in a URL of the ndia.gov.au site?
I created a form. I tested it on the Form.IO site to see how it all worked. I could create a form. I could enter data and it would be recorded in my account. Now all that was left was to embed it in the ndia.gov.au URL. After doing that I had my own form essentially on a government website.
I of course filled in the details and clicked ‘Submit’ — I got an error message. I could not actually submit the form. So I created a different form. More of a webpage than a form.
As my form states, I could embed a link to anywhere and people are likely to believe it is safe because they are on a government website.
I made further attempts to get my original form working. While being able to create any page on a website you shouldn’t have access to is a security problem, being able to ask people for their personal details via a form would be even worse.
Now all that was left to do was to convince the NDIS to fix this issue on their site. Previous experience has shown me that it is not always an easy task. The last time I reported an issue to the NDIS, it had taken months and in the end I gave up with the issue only half resolved. I looked up my contacts from this last report and emailed them explaining the issue and providing them links to the page I had “created” on their website. Because it was a government agency I also emailed the Australian Cyber Security Centre. And finally I emailed Form.IO, letting them know of the issue.
Australian Cyber Security Centre were the only ones to respond to my email. They thanked me for my vulnerability report. They also told me that it is an offence to access a computer without proper authorisation, and that I should, “please take appropriate steps to ensure you operate within the law during any research”.
I was impressed to see that this issue was fixed within a week. I have yet to receive any communication letting me know of the resolution. My best guess is that this was a case of misconfiguration. The form should be limited in where it can take data from and if initial configuration allows data to be accessed from the form.IO site, then this should be changed.