BAMF: bizarre test accounts enabled unauthorized data access

IT security expert Tim Philipp Schäfers has discovered a serious security vulnerability at the Federal Office for Migration and Refugees (BAMF), which opened up due to outdated user accounts with rather bizarre email addresses such as "max.mustermann@testtraeger.de" and generally inadequate protective measures. The expert quickly gained administration rights to a BAMF system using the most minimal means. This could have ended badly in the event of a cyberattack: The authority processes highly sensitive personal data on refugees, including information on integration courses, accommodation and family relationships as well as biometric characteristics.

To control access to its IT systems, the BAMF introduced a "Delegated User Administration (DeBeV)" a few years ago, Schäfers explains in a report on his discovery. This was a central identity management system that worked across various specialist procedures. A publicly accessible document with usage instructions for DeBeV from April 2018 contained explosive details. Screenshots of the web application showed that an account with the user ID "max.mustermann@testtraeger.de" apparently existed in the test and integration system. The domain was still free. Schäfers secured it for 5.97 euros.

The security researcher also found a reference in the documentation to the use of the "forgot password" function at DeBeV. In order to check whether the Mustermann account still existed, he set up a so-called catch-all mailbox. This means that all emails sent to any address under the registered domain end up in a central inbox. Lo and behold, a few seconds after pressing the forget function, the crucial email landed in the inbox, including a link to reset the password. One click on the link was enough to set a new password without further authentication or two-factor authentication. The subsequent login went smoothly.

Access to other specialist procedures was open

The author considers it particularly controversial that it would potentially have been possible for him to log into other IT specialist procedures with the new password. He refrained from doing so "for ethical reasons". However, a click on "Manage users" revealed a list of 200 to 300 user accounts assigned to the BAMF, local authorities and research institutions. Some users had used private email addresses for official purposes, which posed an additional security risk. Access to the account would have allowed potentially far-reaching administrative rights, including the ability to reset passwords of other accounts.

Bernd Beispiel, Carla Columna and Maria Muster

According to his report, Schäfers reported the vulnerability to the BAMF, whereupon the authority deactivated the affected account together with the four other accounts anna.mustermann, bernd_beispiel, carla-columna and maria.muster under the same domain within four hours. There was no immediate response from the BAMF, which led to further inquiries. Finally, the authority confirmed that the security problems had been rectified. According to Netzpolitik.org, the office also informed the Federal Data Protection Authority. Schäfers recommends making a clear separation between test and production systems, practising account hygiene and implementing multifactor authentication to avoid such security gaps.

(mki)