Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersCSRF Token In URLS In Covid Certificate Site
gunnerjnz

4 posts

Wannabe Geek


#290187 26-Oct-2021 12:46
Send private message

The covid certificate site, puts its csrf tokens, nonces etc in it's urls. Isn't this inherently insecure?



 


OWASP says any change of state transactions shouldn't have csrf in the url. 


This URL is for signing up to the certificate site.   The previous screen disclosed nonces etc in the clear.


I've sent a contact and asked them but had no response.


 

Filter this topic showing only the reply marked as answer Create new topic
freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2801435 26-Oct-2021 16:14
Send private message

Interesting - thanks for raising this. I've forward to someone that knows someone.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 



BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #2801436 26-Oct-2021 16:14
Send private message

Everyone loves Microsoft B2C

Kookoo
869 posts

Ultimate Geek
+1 received by user: 407

Trusted

  #2801455 26-Oct-2021 17:19
Send private message

BarTender: Everyone loves Microsoft B2C

 

To type this reply I had to stop the highly enjoyable process of repeatedly smashing my head into the desktop after having to deal with Azure B2C.

 

Now if you'll excuse me, I need to get back to it.




Hello, Ground!



mentalinc
3384 posts

Uber Geek
+1 received by user: 1023

Trusted

  #2801477 26-Oct-2021 18:30
Send private message

@freitasm, can we edit the post to remove any details.

 

And how about we do some responsible disclosure before posting to public forums, particularly as a first post: 

 

https://www.health.govt.nz/our-work/digital-health/digital-health-sector-architecture-standards-and-governance/responsible-disclosure-guidelines 

 

 

 

 




CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB:  Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

 

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX 

BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #2801502 26-Oct-2021 19:19
Send private message

Kookoo:

BarTender: Everyone loves Microsoft B2C


To type this reply I had to stop the highly enjoyable process of repeatedly smashing my head into the desktop after having to deal with Azure B2C.


Now if you'll excuse me, I need to get back to it.


If you wanted a good laugh when DIA did the RealMe certificate renewal for their MTS / Development environment it was down for 3 days.
It only took 6 hours today to replace their ITE / PreProd environment certs. Which they cleverly said needed to be real public CA issued certs on both sides for the SAML data exchange rather than using internally signed certs.
Happy days with B2C.

gunnerjnz

4 posts

Wannabe Geek


  #2801801 27-Oct-2021 10:00
Send private message

mentalinc:

 

@freitasm, can we edit the post to remove any details.

 

And how about we do some responsible disclosure before posting to public forums, particularly as a first post: 

 

https://www.health.govt.nz/our-work/digital-health/digital-health-sector-architecture-standards-and-governance/responsible-disclosure-guidelines 

 

   

 

Did - twice - no response. So that's why I asked here.

 

 

 

But not to the link above - as it does not appear anywhere in a search - I used the link on the site to contact them if there are issues.

 

 

 

IMHO - having removed the link - which is publicly accessible - the post now has no data for experts to look at and check. How do we post something like this - with data for people to look at - rather than making  them guess what the issue might be?

 

 

 
 
 
 

Shop now on AliExpress (affiliate link).
freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2801804 27-Oct-2021 10:07
Send private message

You can post the data to them when you report the problem. The data here is not lost - it's in the previous edit and if asked for by someone in their team we can provide it. But I suspect they know about it now. 




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Kookoo
869 posts

Ultimate Geek
+1 received by user: 407

Trusted

  #2802255 27-Oct-2021 20:29
Send private message

Just tried getting through that registration process. What a mess. Hit a wall at "Error

 

You have exceeded the number of retries allowed." on entering the verification code.

 

Clicked "resend code". It sent the same one! Logged in on a different machine, same process - got the same verification code.

 

It says a verification code expires after 5 minutes. Waited for 20 minutes, started the signup process from scratch - got the same verification code again.

 

How the heck do you get a persistent verification code associated with your email?! What do they do, generate a code and store it with your email somewhere in cosmos for posterity? And then every time you trigger a resend, they look up your email and resend the same code? Why?

 

 

So many questions, so few answers...




Hello, Ground!

gunnerjnz

4 posts

Wannabe Geek


  #2802349 27-Oct-2021 23:53
Send private message

I didnt make it that far on a mobile device, or second mobile device, or third...

Agree to terms and conditions. - No tick box or radio button.

Unless, you can see a non filled radio button that's smaller than a full stop.

Fault 1 - radio button not check box. Radio buttons should have more than one option.
Fault 2 - non responsive page - considering how many people use mobile

If these front facing app pages are so horrific - I hate to think what the hidden back end is like.

The phrase, I would rather stick xxxxx in a bear trap than put data in that came to mind.

jonherries
1433 posts

Uber Geek
+1 received by user: 316

Trusted
Subscriber

  #2802565 28-Oct-2021 10:45
Send private message

Thanks, we have seen this. Please continue to use our disclosure mailbox in the first instance. Consistent with our policies we wont be discussing this here.

Jon

gunnerjnz

4 posts

Wannabe Geek


  #2802681 28-Oct-2021 11:54
Send private message

jonherries: Thanks, we have seen this. Please continue to use our disclosure mailbox in the first instance. Consistent with our policies we wont be discussing this here.

Jon

 

 

 

We used the contact form on the website - that says if there are any issues - let us know. So far no response.

 

My experience of putting info through Govt support desks is almost a total lack of response. It doesn't make it easy to be supportive in this process.

 

 

 

Thank you for replying here and letting us know we have been heard.

 

 

 

 

Filter this topic showing only the reply marked as answer Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright