andrew burke





Passport Canada's Secure Enterprise Software

Posted on: 2007-12-05

Many places are reporting the recent discovery that Passport Canada's online passport application system lets you see other people's applications by simply changing a value in your URL.

Since I already have a passport, I haven't looked at the actual site. However, I did see a bit of the news report where a small identifier in the URL was changed and produced a different passport application.

My guess is that they decided to write their own 'secure' session handling and they probably had weird policies in place that they couldn't keep cookies on the client browser or couldn't use certain frameworks or whatever. Unfortunately, instead of using a long semirandom identifier like almost every web framework out there, they used a small sequential identifier instead.

My other guess is that or they put the identifying key of the particular application into the URL - which is something I've done occasionally as well (like in this blog!), except that step #2 in doing this is to add extra security to make sure people aren't just guessing numbers - and if you're working with sensitive data, use at least a basic two-way encryption process so that the keys can't be easily guessed by anyone.

Some large consulting firm probably got paid a lot of money to build this 'enterprise' system. I thought I'd see if it's mentioned anywhere, like how Accenture announced their award-winning software for the Ontario Government. Conveniently, Passport Canada has to report its contracts:

There's no interface for changing the dates listed, but you can just change the values in the URL itself to get different reports. Put in the two-year span after 'yr' and the final part is I think the quarter for the report. I guess typing into URLs is their new interactivity standard!

Previous: DemoCampToronto16
Next: IE is pants, pure and simple