British visa security bug goes worldwide
The company behind the website that revealed the personal details of people applying for visas in Britain has admitted the problem was actually worldwide.
The flaw, exposed by PC Pro contributing editor, Davey Winder, occurred on the VFS website, the British High Commission’s partner for processing UK visa applications. By changing a few numerical identifiers in the website’s URL, visitors could gain access to the company’s database. The details that have potentially been revealed include passport numbers, addresses, names, family details and travel plans.
The hole was first discovered by a Visa applicant from India, but it has since been revealed that the same flaw existed for applicants from across the globe. VFS handles British visa applications from India, China, Russia and several other countries. It also handles visa applications for a dozen other countries.
When Winder asked Uttam Lahiry, Head of IT for VFS Global, if the problem was worldwide and if it had been fixed accordingly, he responded ‘it is (sic) been resolved globally’.
Winder claims that the sheer scale of the problem could have huge implications for international security. ‘With some of these clients dating back to 2001 it becomes clear that the potential number of people whose data was at risk of exposure rises from thousands into millions,’ he says.
‘VFS Global claim to handle 3 million applications per year, do the maths…’