Today is a good day. I’ve managed to stop the personal details (including addresses, National Insurance numbers, and payment histories) of over one hundred thousand people from leaking from a ‘web’ application of such calamitous stupidity that it beggars belief.
As some of you may know, in the UK there is a salary sacrifice scheme (and tax benefit) that allows parents to part-pay for childcare from their gross salaries; parents arrange with their employers to buy childcare vouchers which may then be redeemed with nurseries, etc. There are a number of childcare voucher providers, but for most people their choice of provider will have been made by their employer. The provider used by the University of Southampton is Busy Bees. I have, shall I say, a few issues with their website that I have to use to manage my childcare vouchers, and it’s here that I have to get a bit technical.
Most companies, if required to build a web-facing application, would employ someone to build something using ASP, PHP or possibly JSP. They’d build a new application that would coexist well with other web applications, and they’d (hopefully) try and engineer a clear divide between the UI facing the user, and the potentially sensitive data held in the back office.
Busy Bees have chosen an approach that I dearly hope is unique. They use Citrix MetaFrame to export the UI from a crufty Windows 2000 application to your desktop, via a Java plugin on a webpage. Yes, you did read that right (this is why there were scare quotes around ‘web’).
This is such a monumentally bad idea that I don’t really have the words to explain it. It fails on all counts: accessibility, availability, scalability and security. To make matters worse, the Windows application is exceptionally shoddy; the UI behaves inconsistently, there are issues with data integrity (it’s common to see corrupted data), and it insists on full screening itself (which is exciting when you run on multiple monitors).
As I found out last night, the application is also insecure. I accidentally right-clicked on part of the screen where there wasn’t a button, and was shown a blank context menu and a series of error dialogues. Click ‘OK’ on the error dialogues, and the entries in the context menu get filled in. Select ‘search’, and you get a (heavily cropped) form which allows you to search on terms like ‘sort code’, ‘account number’, ‘BACS reference’, ‘address’ and so on. Select any part of this form, hit return, and you get a Win2k file open dialogue that lets you examine or edit any file on the filesystem, and execute arbitrary applications.
These files include the database files on which the application runs. In a cursory half hour browse, I found the following:
- email addresses of every Busy Bees customer
- payment logs for every customer for the past two and a half years
- service logs that helpfully included customer names and NI numbers
This was without searching particularly hard, or opening any .DBF files.
Busy Bees prides itself on having (corporate) customers from across the public sector, and from many FTSE 100 companies. From the email addresses I saw on one page, they can count the following amongst them:
- DSTL
- Carlsberg
- Halfords
- South Yorkshire Police
- University of Hertfordshire
- University of Southampton
- Thames Valley Police
- Office of Public Sector Information
- North Yorkshire County Council
That the details of employees from these companies and others had been left unsecured suggests both a lack of technical nous, and a criminal failure of process at Busy Bees.
I contacted them this morning, and after the usual telephone runaround they responded by taking the Busy Bees e-Voucher site down ‘for maintenance’, which fixes the problem in the short term. However, the underlying problem in their choice of technology (Citrix, etc) has been there for the last year and a half at least, because that’s how long I’ve been complaining to them about it. Their answer has previously been ‘we’re getting a new system in six months time’, so my confidence that they’ll fix this problem properly is on the low side of none.
On the plus side, the University are reconsidering their choice of childcare voucher provider.
p.s.: please point other Busy Bees customers that you might know at this post.