MyGov site found to have weaknesses – threat to personal information obvious

May 15, 2014 |

Portals of whatever description, government or business are key entreport to data storage systems.  Weak data security, program flaws or just obsolete structures may result in a site being hacked and personal information compromised.  Verizon in its 2014 data breach investigations report found there were 63,000 confirmed security incidents and over 4,000 breaches world wide.  A breach after known security flaws raises the prospect of a breach of APP 11 of the Privacy Act.

The Sydney Morning Herald reports in Revealed: serious flaws in myGov site exposed millions of Australians’ private information that the much vaunted MyGov website has a serious security weakness.  The potential danger of interference with sensitive personal information is clear.  APP 11 makes it clear that agencies must maintain adequate data security.

It provides:

A federal government department has been blasted over its “appalling response” to a security researcher’s report which found it has been exposing millions of Australians’ personal information by leaving serious security flaws unchecked in a critical government website.

The vulnerabilities were found in the myGov website, which stores the private records of Australians, including their doctor visits, prescription drugs, childcare and welfare payments. The Tax Office is expected to make the site mandatory for electronic tax returns this year.

If you were to score this [myGov] site out of 10 in terms of security it would be, like, zero or barely half a point. 

Security researcher Nik Cubrilovic

One of the several vulnerabilities found was so severe it allowed the researcher, Nik Cubrilovic, to hijack the account of any registered myGov user

Mr Cubrilovic said this was possible because of so-called “cross-site scripting” flaws on the site, which hackers could have potentially leveraged to hijack myGov accounts.

It is understood some of the flaws have been patched since the government was informed of them on May 2. How long the vulnerabilities have been in place is unknown, although the site has existed in various forms since 2009.

Mr Cubrilovic demonstrated how he was able to hijack this writer’s myGov account and access, if linked, Tax Office, Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and National Disability Insurance Scheme information.

Some of the information accessible via when linking it to Medicare.

There is no suggestion a hacker exploited the vulnerabilities deemed “basic” and well-known for malicious purposes by security experts, although Mr Cubrilovic believes he probably wasn’t the first to discover them on the site.

To have information stolen, Mr Cubrilovic said a myGov user wouldn’t even have to click on a bad link. Instead they would just need to visit a website containing malicious code designed to extract specific information when visiting myGov. One such way this code could be inserted is via third-party advertisements appearing on Australian news websites, as occurred with SBS and the Herald Sun in 2011.

“If you were to score this [myGov] site out of 10  in terms of security it would be, like, zero or barely half a point,” Mr Cubrilovic, of Wollongong, said.

E-health records, including prescription drugs, are also accessible using

“You could get into anybody’s account just by sending them a link either directly to the myGov website or to another website that … runs the exploit code,” he said.

After reporting the vulnerabilities to the Australian government’s chief technology officer John Sheridan, the issues were forwarded to the Department of Human Services, which manages the myGov website.

On May 7, chief information security officer at the department, Colin McLean, responded to Mr Cubrilovic’s report without directly acknowledging the issues, which frustrated the researcher. The letter also appeared dismissive of the findings, saying that data was “in very safe hands” – a line issued when other security issues with myGov were raised earlier this month.

Child immunisation records are accessible too.

Other IT security experts have backed Mr Cubrilovic’s findings.

“The simplicity and the range of the vulnerabilities doesn’t give me any confidence that the data is in safe hands,” Sydney software architect and IT security consultant Troy Hunt said.

“The fact that Nik was able to demonstrate a basic attack that could allow an attacker to access the victim’s account simply by them [visiting a site] is evidence that the data is anything but ‘safe’.”

Centrelink payments are also made available via

After seeing the letter provided to Mr Cubrilovic about the issues, Mr Hunt labelled it an “appalling response” because it didn’t address any of the findings made.

“The department’s response didn’t acknowledge any of these risks and by instead claiming that the data was ‘in very safe hands’ demonstrates that they don’t understand the severity of Nik’s findings…,” Mr Hunt said.

Ty Miller, director of Sydney IT security firm Threat Intelligence, agreed the data wasn’t safe.

“This basically proves that the data has not sufficiently been protected,” he said.

“Each of the vulnerabilities identified should have been picked up by appropriate security testing. In particular, cross-site scripting is the most common vulnerability that we find during penetration tests.”

“Most of these vulnerabilities shouldn’t have even been there in the first place,” Mr Hunt added. “That the programmers were not aware of such fundamental security constructs is very worrying and certainly they should have been detected by security professionals.”

“The class of the vulnerabilities … are such that they are very basic and elementary,” Mr Cubrilovic said. “I found them within a few minutes and anybody who is a security analyst who would have spent mere minutes on the website would have found the same bugs.

“It’s a very serious issue. You’ve got millions of people who have their lives in terms of their Medicare, potentially their future tax records available online to anybody to be able to access.”

In a statement, the Department of Human Services said access to myGov and its other online services was “audited and monitored” by the department. It also said it “routinely” subjected the myGov website “to independent security testing”.

The department also repeated that records were “in very safe hands” and said that it would not discuss specific details of its “security arrangements” as, it said, to do so would “increase risk for our customers”.

It said the Australian public could “rest assured” that any information provided to it about IT security was acted upon.

It did not confirm if all issues had been fixed or whether users would be advised. It also did not say whether it was certain that no accounts had been hijacked besides those belonging to this writer and the researcher.

This writer received two telephone calls from the department about the hijacking of the account, which resulted in the closure of linked accounts.

One Response to “MyGov site found to have weaknesses – threat to personal information obvious”

  1. MyGov site found to have weaknesses – threat to personal information obvious | Australian Law Blogs

    […] MyGov site found to have weaknesses – threat to personal information obvious […]

Leave a Reply