Vulnerability in PostBus public transport platform exposed customer data

The online portal is used to track fare dodging on Swiss public transport

PostBus has resolved a serious data exposure vulnerability in one of its online Swiss public transport platforms.

ZTF cybersecurity researchers Sven Faßbender, Martin Tschirsich, and Dr André Zilch conducted a penetration test on the Ticketcontrol.ch platform, operated by PostBus, a subsidiary of ÖBB-Personenverkehrs AG.

TicketControl is an online service used to manage fare dodging in Switzerland. The platform has been designed to identify people who continually avoid paying their way on public transport by connecting to a national register. Passengers are also able to upload proof they had valid tickets at the time an offense was recorded.

‘Obvious deficiency’

ZTF researchers say the penetration test revealed the compromise of confidential, centrally stored data through “an obvious deficiency”, an insecure direct object reference (IDOR) vulnerability.

IDOR vulnerabilities are access control security issues that arise when an application has the capability to use user-supplied input to influence objects directly, including database objects and static files.

If exploited, IDOR flaws may be able to bypass access controls, steal or leak data, or modify other resources.

RECOMMENDED Xerox belatedly addresses web-based printer bricking threat

According to the report (PDF, translated), a lack of access control on a Ticketcontrol path allowed external, unauthenticated attackers to load resources such as crafted JavaScript code or malicious image files via an HTTP GET request and a numeric identifier.

In theory, this allowed attackers to pull customer data from the platform.

“People who used the train or bus without a valid ticket had to upload documents that contained personal information in the affected application,” Faßbender told The Daily Swig.

“By utilizing the IDOR vulnerability an attacker was able to download those documents. An attacker could use those documents to impersonate the victims or mount further attacks such as stalking or phishing attempts.”

Raising the ticket

The vulnerability was privately reported to PostBus AG, the Federal Data Protection Commissioner (FDPIC), and the National Center for Cyber ​​Security (NCSC) on January 21, 2022.

PostBus confirmed the vulnerability and “immediately remedied” the flaw, according to ZTF.

Read more of the latest security vulnerability news

Local media outlet SRF reports that 1,776 exposed datasets were deleted following remediation. The operator said it “very much regret[s] this error and apologize[s] to the customers whose data we have not adequately protected”.

The research team recommends that on such portals, server-side authorization checks are implemented before requests are processed, and when authorization systems are in use, the least-privilege principle should be applied.

The Daily Swig has reached out to PostBus with additional queries and we will update this story if and when we hear back.

YOU MIGHT ALSO LIKE US government’s ‘zero trust’ roadmap calls time on perimeter-based paradigm