Visa site flaw reveals personal details

A website flaw that revealed the personal details of people applying for visas in Britain was left unchecked for a year after the problem was first reported, according to PC Pro’s internet security expert.

Visa site flaw reveals personal details

The bug occurred on the VFS India website, The British High Commission’s partner for processing UK visa applications from India. Essentially, you could access the organisation’s database just by changing a few numerical identifiers in the URL.

The details that have potentially been revealed include passport numbers, addresses, names, family details and travel plans.

The flaw was originally discovered by an applicant who tried to retrace his steps during the application process. With some URL tweaking, he stumbled on the security breach.

The story was broken by PC Pro Contributing Editor, Davey Winder. As he points out, poorly designed sites are commonplace. But not only is this related to the British High Commission, but the security hole was still gaping a full year after a concerned Indian citizen reported the problem to VFS Global. However, it took less than 24 hours for Davey Winder’s investigation to get them to secure the breach.

‘The terror and ID theft implications are massive,’ says Winder, ‘especially considering this is to do with coming into the UK and US from India.’

While the VFS Global IT team did investigate the issue, other parties were seemingly less concerned. The Information Commissioner’s Office in the UK, responsible for enforcing the Data Protection Act, was not so forthcoming, says Winder. Nor were the UK Foreign and Commonwealth Office or the British High Commission in India.

‘At the time of writing there have been no replies to my requests for comment on the story from any of them,’ he writes. ‘Frankly, I am amazed that this has been allowed to continue for so long, exposing thousands of Indian identities with enough sensitive data to make ID theft child’s play.’

‘I am even more amazed that nobody, apart from that VFS Vice President, cared enough to acknowledge I was writing this story and try to prevent my posting it, or provide some kind of mitigating comment by way of an apology and promise that the hole had been sealed shut immediately,’ he adds.

Finally, Winder notes that VFS handles visa applications for governments around the world, including Russia, South Africa, Singapore and China. Who is to say, he asks, that the same security hole is not open across all the online visa application sites?

You can find the full story on Davey Winder’s blog on DaniWeb.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos