ATO declines to fix code replay flaw within myGovID

Security researchers advise users to not use the system until it is patched, and given the taxation office's response, that could be a long time coming.
Written by Chris Duckett, Contributor

The default login option for agents used by the Australian Taxation Office (ATO) is vulnerable to a code replay attack, security researchers Ben Frengley and Vanessa Teague said.

Writing in a blog post, the pair described that an attacker could use a malicious login form to capture user details, which the attacker could then use to login into other accounts held by the myGovID user.

The nub of the attack is that when a myGovID user attempts to login into a site, they are asked to input a four-digit code into the myGovID smartphone app to verify the login -- no passwords are used, and the only identifying piece of information is an email address.

If the attacker can capture an email address, that can be used by the attacker to log into another myGovID service and replay the generated code to the user to enter into the myGovID app. Once the code is entered, the user will believe they are logged into a proper site, while the attacker can simultaneously log into their account elsewhere.

The user is not alerted to the other login taking place.

"This attack is detectable by a diligent user who understands the protocol well enough to know that they should only accept 4-digit codes from mygovid.gov.au (and knows how to check for TLS)," the pair wrote.

"However we believe that there are very few users in this category, because it is a counter-intuitive protocol designed to reverse the information flow relative to what users are accustomed to."

The suggested short term mitigation from the researchers is to inform users about what site is requesting a login, and for the long term, the pair recommended ditching the framework altogether.

"In the long run, the [Trusted Digital Identity Framework] and all its current implementations should be deprecated and replaced with an open standard such as OpenID Connect or a protocol modelled on that of a nation with an existing secure public key infrastructure such as Belgium or Estonia," they wrote.

"The implementation and design documentation should be openly available to the Australian public to allow for the identification and responsible disclosure of other vulnerabilities.

"We have no reason to believe that this is the only, or the worst, vulnerability in this system. Its complex nature and the desire to hide information makes enforcing and validating correct, secure behaviour close to impossible."

For users, the pair recommended they do not use myGovID unless unavoidable, and in that case, to ensure they only receive codes from the mygovid.gov.au site.

"This unlikely to work in practice for most users, who will struggle to recognise a secure website with the right URL," they said.

The pair said they informed the Australian Signals Directorate of the issue on August 19, and were told on Friday by the ATO that "they did not intend to change the protocol, at which point we immediately informed them that we would make a warning to users public".

In October, the Digital Transformation Agency said almost 7,000 Australians had created a myGovID.

A spokesperson for the ATO said the flaw was not a "security vulnerability of the myGovID solution or application" and that it can used against login procedures including "passwords, SMS, physical code generators, and mobile apps codes".

"The approach identified by the researchers, to scam a user by redirecting them to a malicious phishing website requesting credentials, is a well-known and common challenge across authentication systems and is not unique to the myGovID platform," the spokesperson said.

"The ATO takes IT security very seriously."

Also on Monday morning, the ATO announced it has signed a three-year, AU$11.4 million deal with Vocus for managed network services.

"The contract will see Vocus provide up to 230 services across 80 ATO sites, on its fully separated secure network," Vocus said.

"The types of services include IP WAN, internet and data centre connectivity for all existing and future ATO sites."

The contract has three potential two-year extensions.

Updated 21 September 2020 at 8:28pm AEST: Added comments from ATO.

Related Coverage

Editorial standards