Security flaw in municipal website causes data leak in BundID.

IT security researcher Lilith Wittmann has once again uncovered serious problems with the federal government's administrative IT. This time in the so-called BundID, which enables access to the citizen account and thus to digital administrative services.

The BundID, which will soon be called DeutschlandID, is currently often still lacking in services that are already compatible with it. Now there are also security gaps in the existing options. Last week, security researcher Lilith Wittmann, who likes to call herself a "riot influencer", uncovered a vulnerability that gives attackers access to BundID and thus the administrative portals of hundreds of German municipalities.

The good will of a developer is the BundID's undoing

The vulnerability is located in the implementation of the Security Assertion Markup Language (SAML), an OAuth alternative that is used by BundID as an authentication procedure. This allows a local authority's website to identify a user who is logged into the BundID system so that the user does not have to log in again for each local page. Although SAML is generally considered secure, it is difficult to implement correctly, according to Wittmann. As hundreds of municipal offices have to do this to be compatible with BundID, there is a high probability that someone will make a mistake. This is precisely what happened with the OpenR@thaus software from the service provider ITEBO from Osnabrück, which is apparently used in numerous local authorities.

According to Wittmann, the manufacturer wanted to "add a small convenience function to the SAML protocol that allows users to be redirected directly to the correct website after logging in." Unfortunately, the developers made a mistake, which meant that "you can be redirected to any website after logging in." To show how an attacker would proceed, Wittmann built a fake administration page within an hour with the help of AI, which could have been used to access citizens' personal data. At least if they had fallen for this page – lured by several thousand euros in heating cost subsidies. A loophole in a local implementation thus jeopardized all user data contained in the BundID.

An implementation error rarely comes alone

Nevertheless, the responsible Ministry of the Interior reacted promptly and shut down the system with the vulnerability within hours. Wittmann had publicly reported the vulnerability on Twitter on Friday evening, and the problem was finally fixed on Sunday morning.

However, the affected service provider apparently did not manage to secure its software fully, as Wittmann discovered another vulnerability in the affected system at the beginning of this week. This is due to a vulnerability in the open-source CMS software Liferay, which is used by OpenR@thaus, that is over eight years old and apparently went unnoticed. Following the announcement of this new vulnerability, all municipal services that use OpenR@thaus have currently been taken offline. According to Wittmann, the system apparently has other vulnerabilities. She herself does not think much of the whole BundID/GermanyID idea in general: "A central ID as a trust anchor for the administration is a bad idea. Local authorities don't need services with any identity systems attached to them on their websites. For everything where a state identity really needs to be established beyond doubt - online and immediately - the ID card should simply be used."

Lilith Wittmann made a name for herself in IT security circles across Germany in 2021 when she discovered a vulnerability in the CDU's connect app. The party initially reported her and then apologized to her after a public outcry. Large parts of the German IT security community pledged their support to the researcher.

(emw)