PostBus, a subsidiary of ÖBB-Personenverkehrs AG, has fixed a serious data exposure vulnerability in one of its online Swiss public transport platforms. ZTF cybersecurity researchers Sven Faßbender, Martin Tschirsich, and Dr André Zilch conducted a penetration test on the Ticketcontrol.ch platform and found that it was vulnerable to attack.
TicketControl is an online service used to manage people who avoid paying their way on public transport. The platform connects to a national register to identify these people. Passengers are also able to upload proof they had a valid ticket at the time of the offense.
IDOR Vulnerabilities
ZTF researchers say the penetration test revealed an insecure direct object reference (IDOR) vulnerability. The data was stored in a way that made it easy to break into and steal information. IDOR vulnerabilities are security issues that happen when you give the application your input. The application can use this information to influence objects like databases and files. If you exploit IDOR flaws, it could mean that you can do something bad to the computer. This will allow other people to take your data or change other things on the computer.
The report says that there was no access control on Ticketcontrol’s path. This allowed people to load things like bad JavaScript code or bad images. If someone had done this, they might have been able to take customer data from the platform. As Faßbender told The Daily Swig, people who used the train or bus without a valid ticket had to upload documents that contained personal information in their application. Since the IDOR vulnerability was exploited, an attacker downloaded those documents. This means that an attacker can impersonate these people by using their personal information if they want.
The Least Privilege Principle
The vulnerability was privately reported to PostBus AG, the Federal Data Protection Commissioner (FDPIC), and the National Center for Cyber Security (NCSC) on January 21, 2022. PostBus confirmed the vulnerability and “immediately remedied” it. Local media outlet SURF reports that 1,776 exposed datasets were deleted after they were fixed. The research team recommended that portals with authorization systems use the least privilege principle before requests are processed.