On October 8, 2020, the City Government of Pasig launched its 'PasigPass' contact tracing solution. The PasigPass can be access by anyone online by visiting https://pasigpass.pasigcity.gov.ph/.
As of November 28, 2020, there are 452,662 individuals and 1,157 establishments registered and using the contact tracing solution.
In the past few months, we've heard a lot about contact tracing apps in the country that may threaten the security and privacy of its users.
On this blog, I will be discussing my feedback or review for PasigPass.
Weakness Type: CWE-693: Protection Mechanism Failure
Security headers provide another layer of security by helping the application in preventing potential security vulnerabilities. Using an online grading tool, the web application of PasigPass is graded as F which means they don't have the necessary security headers.
- X-Frame-Options prevent attacks like clickjacking by telling the browser whether the web app wants to be framed or not.
- Referrer-Policy prevent attacks like reset password token leakage by setting a referrer policy that control how much information the browser includes with navigations away from the site.
- Content Security Policy prevent attacks like Cross-Site Scripting (XSS) by whitelisting sources of approved content.
Implementing this security headers is a must for a website that collect or process personal information. It is also one of the common best practices.
✔️Sign Up: Information Collection
The sign up form is only asking for necessary details such as Full Name, Birthdate, Home Address, Email, and Mobile Numbers which are vital for contact tracing.
❌Sign Up: Password Requirement
Weakness Type: CWE-521: Weak Password Requirements
The password field on its sign up page clearly display the requirement for the account's password. For me, I don't recommend setting '6' characters as the minimum number of characters as password.
The National Privacy Commission (NPC) recommends at least 12 characters long.
Weakness Type: CWE-345: Insufficient Verification of Data Authenticity
When it comes to email security, organizations must provide an SPF Record on its DNS to prevent the potential Email Spoofing attacks. Using an online tool, it shows that pasigcity.gov.ph, the main domain, doesn't have an SPF Record.
To demonstrate the vulnerability, I used an online fake emailer and sent a fake email to my email address. Here is the result that I received on my email.
The pasigcity.gov.ph is using Google Mail as their primary mail server. So to remediate this vulnerability, they only need to add an SPF record to their DNS with the following value:
v=spf1 include:_spf.google.com -all
The username and password fields, even the fields in the signup forms does contain an attribute called autocomplete and currently set to off. If the attribute is missing or enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
This is very important since some users are sharing devices or renting/using computers in some internet cafe.
✔️Reset Password Validity
When I requested to reset my password, I've received the email shown in the image above.
The first thing I noticed was the note included on the email. I was like WOW! The reset password link validity is so strict or short. The common recommended validity that I always encounter is at least 24 hours but for PasigPass it's only for 5 minutes which is not a problem (I actually like it).
Additionally, the reset password link is like this:
They use UUID instead of random characters that could possible be guessed or bruteforced.
Server: Microsoft-IIS/10.0 X-AspNetMvc-Version: 5.2 X-Powered-By: ASP.NET
When you requested the website of PasigPass, the following data above will be returned as part of the response headers.
Both the Microsoft IIS server and ASP Net MVC are up to date!
❓ Web Application Firewall
Weakness Type: CWE-693: Protection Mechanism Failure
Web Application Firewall typically protects web applications from attacks such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others.
By deploying or implementing a WAF in front of a web application, a shield is placed between the Internet and web application.
Right now, I haven't detected a WAF installed to PasigPass.
❌Password can be submitted using GET
Weakness Type: CWE-598: Use of GET Method With Sensitive Query Strings
By default, a form with missing method attribute will use GET as the primary method. The problem of using the GET method is that the data such as username and password will be transmitted as part of the URL.
Sensitive information within URLs may be logged in various locations such as:
- web server logs (via referrer);
- browser's history;
- and potentially, search engines (cached by Google)
What they have:
- Service description
- Personal information that are collected
- Purpose of collected information
- Third Party transfer/disclosure
- Retention Period
- Data Subject Rights
What are missing:
- Method and Timing of Collection
How do you collect information?
When do you collect information?
- Storage and transmission of information
How do you store and transmit information?
How do you protect stored personal data?
How do you protect personal data in transit?
- DPO Contact Information
How can data subjects reach out to you regarding data privacy?
So far, Pasig's PasigPass application is the most okay contact tracing solution in the country right now. Well, I haven't tried performing a thorough testing yet (unless they give me permission) so I have no idea yet if there are other potential vulnerabilities in the application. There might be some if we perform targeted testing based on the features of the application, libraries used, and etc.
To everyone, please validate the email coming from @pasig.gov.ph to avoid getting tricked by scammers or cybercriminals.
- November 30, 2020 12:48am - Email sent to [email protected] and Mayor Vico's email address.
- December 2, 2020 10:02am - I emailed to request for updates.
- December 4, 2020 9:16pm - I sent my final email and informed them that I will publish this blog post.
That is all for now!