PostBus, a subsidiary of ÖBB-Personenverkehrs AG, has fixed a serious data exposure vulnerability in one of its online Swiss public transport platforms. ZTF cybersecurity researchers Sven Faßbender, Martin Tschirsich, and Dr André Zilch conducted a penetration test on the Ticketcontrol.ch platform and found that it was vulnerable to attack.
TicketControl is an online service used to manage people who avoid paying their way on public transport. The platform connects to a national register to identify these people. Passengers are also able to upload proof they had a valid ticket at the time of the offense.
ZTF researchers say the penetration test revealed an insecure direct object reference (IDOR) vulnerability. The data was stored in a way that made it easy to break into and steal information. IDOR vulnerabilities are security issues that happen when you give the application your input. The application can use this information to influence objects like databases and files. If you exploit IDOR flaws, it could mean that you can do something bad to the computer. This will allow other people to take your data or change other things on the computer.
The Least Privilege Principle
The vulnerability was privately reported to PostBus AG, the Federal Data Protection Commissioner (FDPIC), and the National Center for Cyber Security (NCSC) on January 21, 2022. PostBus confirmed the vulnerability and “immediately remedied” it. Local media outlet SURF reports that 1,776 exposed datasets were deleted after they were fixed. The research team recommended that portals with authorization systems use the least privilege principle before requests are processed.