Federal health reporting: Security flaw hit favorites list
A security vulnerability in the federal health reporting portal could have affected 300 people who had created a favorites list.
The gbe-bund.de website has been in maintenance mode for weeks.
(Image: Screenshot / heise online)
A month ago, IT security expert Lilith Wittmann discovered a security vulnerability in the online database of the federal government's health reporting system (GBE). Since then, the website has been in maintenance mode. This is due to a security vulnerability in a new function that allows readers to save their interests. Around 500 user profiles are affected. These were used "exclusively to save an individual list of favorites and can optionally contain an email address and a real name", a spokesperson for the Federal Statistical Office (Destatis) said in response to a query from heise online.
According to the Destatis spokesperson, a leak of user information relevant to data protection law could be ruled out. "Information such as recently viewed sites and personal favorites were also not technically accessible. Secret statistical information or individual data are not contained in the GBE portal," it continues. Attackers would have had to know a username and manipulate the URL to access the accounts. If users had provided an email address or a real name, it would have been possible to change the details, according to the spokesperson. "In case you're wondering why such vulnerabilities (i.e., cross-site scripting) are so critical: Instead of turning it into a game like this, you can use something like this to send someone a link by email that looks like it's from a government website," Wittmann comments on X.
Online database bundles billions of figures
According to the Federal Ministry of Health, health data and information from more than 100 different sources flow centrally into the online database of the federal GBE. The data basis for the federal GBE is formed by the figures from the "health monitoring carried out by the Robert Koch Institute (RKI) as well as other epidemiological studies, official statistics, epidemiological registers and routine data from social insurance providers". This refers to "three billion figures and indicators". These originate, for example, from surveys conducted by the Federal Statistical Offices. Interested parties can search for causes of death, for example, but also for statistics on obesity and much more. International surveys can also be found.
According to the Destatis spokesperson, it will be a few weeks before the maintenance work is completed. Tests with other institutions connected to the portal are still ongoing.
(mack)
