arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Technical Review of Pasig's Contact Tracing Solution
6 min read

Technical Review of Pasig's Contact Tracing Solution

Technical Review of Pasig's Contact Tracing Solution

On October 8, 2020, the City Government of Pasig launched its 'PasigPass' contact tracing solution. The PasigPass can be access by anyone online by visiting https://pasigpass.pasigcity.gov.ph/.

As of November 28, 2020, there are 452,662 individuals and 1,157 establishments registered and using the contact tracing solution.
Source: https://www.facebook.com/VicoSotto/posts/3647660351959283

In the past few months, we've heard a lot about contact tracing apps in the country that may threaten the security and privacy of its users.

On this blog, I will be discussing my feedback or review for PasigPass.


❌Security Headers

Weakness Type: CWE-693: Protection Mechanism Failure

Figure 1: Grade of PasigPass for Security Headers

Security headers provide another layer of security by helping the application in preventing potential security vulnerabilities. Using an online grading tool, the web application of PasigPass is graded as F which means they don't have the necessary security headers.

  • X-Frame-Options prevent attacks like clickjacking by telling the browser whether the web app wants to be framed or not.
  • Referrer-Policy prevent attacks like reset password token leakage by setting a referrer policy that control how much information the browser includes with navigations away from the site.
  • Content Security Policy prevent attacks like Cross-Site Scripting (XSS) by whitelisting sources of approved content.

Implementing this security headers is a must for a website that collect or process personal information. It is also one of the common best practices.

✔️Sign Up: Information Collection

The sign up form is only asking for necessary details such as Full Name, Birthdate, Home Address, Email, and Mobile Numbers which are vital for contact tracing.

❌Sign Up: Password Requirement

Weakness Type: CWE-521: Weak Password Requirements

Figure 3: Password Requirement

The password field on its sign up page clearly display the requirement for the account's password. For me, I don't recommend setting '6' characters as the minimum number of characters as password.

The National Privacy Commission (NPC) recommends at least 12 characters long.

Figure 4: Tip #1 from NPC's 30 Ways to Love Yourself Online. https://www.privacy.gov.ph/30-ways/

❌Email Security

Weakness Type: CWE-345: Insufficient Verification of Data Authenticity

Figure 5: Missing SPF Record

When it comes to email security, organizations must provide an SPF Record on its DNS to prevent the potential Email Spoofing attacks. Using an online tool, it shows that pasigcity.gov.ph, the main domain, doesn't have an SPF Record.

To demonstrate the vulnerability, I used an online fake emailer and sent a fake email to my email address. Here is the result that I received on my email.

The pasigcity.gov.ph is using Google Mail as their primary mail server. So to remediate this vulnerability, they only need to add an SPF record to their DNS with the following value:

v=spf1 include:_spf.google.com -all

✔️Autocomplete

Figure 7: Source of Username and Password field with autocomplete set to off

The username and password fields, even the fields in the signup forms does contain an attribute called autocomplete and currently set to off. If the attribute is missing or enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

This is very important since some users are sharing devices or renting/using computers in some internet cafe.

✔️Reset Password Validity

Figure 8: Reset Password Email from PasigPass

When I requested to reset my password, I've received the email shown in the image above.

The first thing I noticed was the note included on the email. I was like WOW! The reset password link validity is so strict or short. The common recommended validity that I always encounter is at least 24 hours but for PasigPass it's only for 5 minutes which is not a problem (I actually like it).

Additionally, the reset password link is like this:

https://pasigpass.pasigcity.gov.ph/User/ResetPassword?session=a8278db7-504d-44b9-95e7-95e246fa56dd

They use UUID instead of random characters that could possible be guessed or bruteforced.

✔️Software Version

Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
X-Powered-By: ASP.NET

When you requested the website of PasigPass, the following data above will be returned as part of the response headers.

Both the Microsoft IIS server and ASP Net MVC are up to date!

❓ Web Application Firewall

Weakness Type: CWE-693: Protection Mechanism Failure

Figure 9: Result of WAF Checker

Web Application Firewall typically protects web applications from attacks such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

By deploying or implementing a WAF in front of a web application, a shield is placed between the Internet and web application.

Right now, I haven't detected a WAF installed to PasigPass.

❌Password can be submitted using GET

 Weakness Type: CWE-598: Use of GET Method With Sensitive Query Strings

Figure 10. Source code of Login Form

By default, a form with missing method attribute will use GET as the primary method. The problem of using the GET method is that the data such as username and password will be transmitted as part of the URL.

Sensitive information within URLs may be logged in various locations such as:
- web server logs (via referrer);
- browser's history;
- and potentially, search engines (cached by Google)

✔️Privacy Statement

What they have:

  • Service description
  • Personal information that are collected
  • Purpose of collected information
  • Third Party transfer/disclosure
  • Retention Period
  • Data Subject Rights

What are missing:

  • Method and Timing of Collection
    How do you collect information?
    When do you collect information?
  • Storage and transmission of information
    How do you store and transmit information?
    How do you protect stored personal data?
    How do you protect personal data in transit?
  • DPO Contact Information
    How can data subjects reach out to you regarding data privacy?

So far, Pasig's PasigPass application is the most okay contact tracing solution in the country right now. Well, I haven't tried performing a thorough testing yet (unless they give me permission) so I have no idea yet if there are other potential vulnerabilities in the application. There might be some if we perform targeted testing based on the features of the application, libraries used, and etc.

To everyone, please validate the email coming from @pasig.gov.ph to avoid getting tricked by scammers or cybercriminals.


Timeline

  • November 30, 2020 12:48am - Email sent to [email protected] and Mayor Vico's email address.
  • December 2, 2020 10:02am - I emailed to request for updates.
  • December 4, 2020 9:16pm - I sent my final email and informed them that I will publish this blog post.

That is all for now!