Security researchers have advised Australians not to use the federal government’s digital identity service after authorities refused to fix a crucial design flaw they had discovered.
Thinking Cybersecurity chief executive and Australian National University adjunct professor Vanessa Teague and University of Melbourne masters student Ben Frengley on Monday published a report on myGovID, the government’s digital identity service developed by the Australian Taxation Office (ATO).
The researchers outlined their discovery of a flaw in myGovID’s protocol which could allow an attacker to easily trick a user into handing over access to their account and control of their linked government services, as well as private sector services such as banking in the future.
The replay attack would involve a malicious actor tricking a myGovID user into entering their linked email on a replica website, and then confirming the 4-digit PIN on the app on their phone, allowing the attacker to access their account and the linked government services.
The researchers went public with the flaw on Monday after being told by government that it did not intend to patch the issue, instead saying it was not a vulnerability and was instead more of a public awareness issue.
The Australian Taxation Office led the development of myGovID, which has been accredited under the Digital Transformation Agency’s (DTA) GovPass digital identity program and can be used to log into government services.
Professor Teague said Australians should not use myGovID until the flaw is fixed, although this is not possible once the service replaces AUSkey earlier this year, and the government is planning to soon integrate it with the myGov platform.
“My recommendation is to not use it unless you have to, but I recognise that a lot of people have to. If you have to, then check with great care that the 4-digit code is coming from the TLS protected site at mygovid.gov.au. That’s really the critical takeaway,” Professor Teague said.
“If you have to use this system, make that check every single time because it’s critically important to making sure the login isn’t hijacked.”
The recently revealed flaw relates to the security protocol used by myGovID when a user is trying to log into an eligible service. A user first enters their email onto a website, and is then sent a 4-digit code which they enter onto the myGovID smartphone app, not that website. Once this is completed, the user is then logged into the relevant service.
But the protocol does not tell the user what service they are attempting to log into when entering the pin on their phone, meaning this can easily be hijacked by a malicious actor if they can trick a user into entering their details into a fake website.
“The crucial design flaw is that when [a user’s] myGovID app receives an authorisation request and invites [them] to enter her 4-digit code, there is nothing in the app’s user interface that tells her the name of the entity seeking authorisation,” the researchers said.
In a statement, an ATO spokesperson denied the researcher’s discovery was a vulnerability.
“The approach identified by the researchers, to scam a user by redirecting them to a malicious phishing website requesting credentials, is a well-known and common challenge across authentication systems and is not unique to the myGovID platform,” the spokesperson told InnovationAus.
“This research is not disclosing a security vulnerability of the myGovID solution or application and this type of scam can be used against most existing credential types in the online sector.”
But this issue is different to a traditional phishing scam, Professor Teague said, as users are only entering a code into their phone, rather than a password into a suspicious website, and may be less alert in identifying a replica site.
“It’s very different from the usual check they have to do. Most people know that if you’re entering a password into a website, you need to check the website really is the website you think it is. Most people know that and most web browsers have some automated protection,” Professor Teague said.
“With this, the information flow is counter-intuitive – you really have to understand it extremely well to know that you need to check where you’re receiving the PIN from with great care. I think most users are a lot more likely to be vulnerable to do this than if they’d implemented a more traditional login.”
The researchers alerted the Australian Cyber Security Centre of the security flaw in mid-August. In a meeting with the ATO late last week, they were told that the government did not plan to patch it, leading the researchers to go public.
Professor Teague said she was “disappointed” by the ATO’s response.
“There wasn’t any user education around that point that I ever saw, and it’s just not obvious to the user what the user has to do. It means the user has to do this very counter-intuitive check that they’re never explicitly told they have to do,” she said.
The researchers released a video showing how this could take place, with a myGovID user attempting to log into a fake website under control of the attacker. Once the attacker has access to the user’s email address, they can then use this to initiate a login process on the real myGovID website, and will be presented with the 4-digit code to enter into their smartphone.
The unsuspecting user will also be displayed this code by the attacker, and after entering it on the app will have unknowingly given access to their account to the attacker.
While the demonstration was done manually by Professor Teague, attackers could complete this process automatically, making it even more dangerous.
The design of myGovID is “counter-intuitive”, the researchers said, and most users may not be able to tell that they are being duped by a similar malicious scheme.
“The attack is detectable by a diligent user who understands the protocol well enough to know that they should only accept 4-digit codes from mygovid.gov.au. However, we believe that there are very few users in this category, because it is a counter-intuitive protocol designed to reverse the information flow relative to what users are accustomed to,” they said.
The problem relates to the “noble goal” to avoid issues with users entering their credentials into websites without checking they are legitimate, and does this by never requiring users to enter their details into anything except the app.
But this has led to another equivalent problem.
“The main reason this is worse than the standard redirect-to-fake-login-site attack is that the information flow is so counter-intuitive and non-standard that users are much less likely to notice – we all know we are not supposed to enter credentials into websites we do not trust, but we have no intuition about whether we are supposed to enter a number from a website we semi-trust into an app we trust,” the researchers said.
“This kind of confusing user experience teaches even normally vigilant users to ignore things that might otherwise seem odd, and myGovID’s lack of context for login requests exacerbates this issue, which makes this attack more concerning.”
The protocol used by myGovID is governed by the Trusted Digital Identity Framework (TDIF), developed by the DTA to accredit digital service providers into the government’s GovPass scheme.
myGovID completed assurance assessments, including independent security penetration testing, as part of the accreditation process.
The government has now spent more than $200 million on the GovPass project, which is still in a beta phase more than five years after it was launched. The ATO’s myGovID is one of only two digital identity services to be accredited under the scheme.
The DTA had been planning to integrate myGovID with myGov by the end of the last financial year, but missed this deadline after testing discovered a range of issues.
The DTA is also looking to expand the program to the private sector and will need to pass legislation to do so. This would mean that users could use myGovID to log into their bank, for example.