Tomorrow, Tuesday, is budget day here in Alberta. Like many Albertans, I am curious about what Finance Minister Ted Morton is going to deliver, so I started poking around online. First stop, last year’s budget, available at http://budget2009.alberta.ca/.
Seems logical that the 2010 budget would be at http://budget2010.alberta.ca. So I tried that URL, and was prompted with a login screen. First thing that came to mind was “administrator” and “password”. Voila:
Fortunately for Mr. Morton, the documents don’t appear to have been uploaded yet. You can see all the placeholders though, which is kind of funny. And it seems you can leave feedback.
It does reveal the theme of the budget, Striking the Right Balance. Last year was Building on Our Strength.
This is what is known as “security through obscurity”. It’s not really secure, it’s just hidden. I’d suggest that programmers working at the Government of Alberta invest in Writing Secure Code, a fantastic book on the subject.
I hope this isn’t a reflection of the budget we see tomorrow…cutting corners, etc.
UPDATE: Sometime around 9:45 AM today they changed the password, and I think pointed the virtual directory somewhere else.
UPDATE2: The Journal wrote about this today.
UPDATE3: The site is now officially live with all the budget documents. Enjoy!
19 thoughts on “Alberta Budget 2010 website – security through obscurity”
Nice work Mack, thankfully, they’ve changed the password. Imagine the DemoCamp gang getting ahold of that live, I can hear the jeering already…
Come on Government of Alberta, this is embarrassing, you guys need to be better than this.
lol… Nice job!
Walter is right. Democamp would be all over this thing jeering at it. Priceless.
I think the DemoCamp crowd would also be among the first to offer to help! Let’s not unfairly paint a community that had nothing to do with this as a bunch of jeering geeks.
You may have fallen fowl of the Computer Misuse Act has you done this in the UK 😉
Wow, I can’t believe that… I used to work for one of the ministries and we never had any security on our sites that lax…
What exactly did you see except a placeholder site with nothing on it. All I see is someone who wants his name in the media.
You’re right Fred, not much…just the theme of the budget, and the breakdown in documents and charts that we can expect to see later today.
The point is that they got lucky this time. We need to ensure this sort of mistake isn’t repeated!
wow, mack, you’re the best. this made my day.
Just excellent work. We are watching the budget for one reason only here in Saskatchewan…”Are they going to ‘thaw’ the job ‘freeze’?! My fiance is waiting to get a call to start work in Alberta, but they cannot make that call until this “hiring freeze” is over.
Just bad luck/timing on us I guess!
I think this is a real security issue. I would say two things:
1) A site that hasn’t gone live yet shouldn’t default to a login screen. It looks bad, and invites visitors to try logging in.
2) A site should never have an account where “administrator” and “password” provides access.
Even though there was nothing really “there” once Mack got in, it still represents a breach.
Is this no different than someone who does SQL attacks with the intent of finding some information?
Weak passwords aside, If you came public with this first before attempting to contact someone to fix it I hope there is some form of justice/punishment comes to you.
Again if you blogged about this without contacting someone first you just crave attention.
Find an exploit? Contact the admin to have it patched. You actions are no different than people trying to steal corporate secrets.
To “Fred” and “T”
Information security is something that is important to every citizen of Alberta and if Mack discovered something like this, good for him reporting it to the rest of us.
These things need to be made public so we can embarrass the government into protecting our information properly.
This time it was only the budget. Next time it could be enough information to steal your identity.
This isn’t the first time that websites are open to exploit, laptops are stolen, files are tossed into regular trash, etc.
FYI, there is a major difference between Mack trying THE most obvious hack ever and SQL attacks, and that is intent. I don’t believe for a minute there was any malicious intent on Mack’s part.
If you’re going to make accusations, why not sign your full name to them instead of hiding behind an initial or first name? Make me wonder about your intent.
Alain is right – we’re lucky that this time it was just some placeholder text. And of course I absolutely did NOT have any malicious intent. I didn’t expect to find anything at the site, except maybe details on the press release and such.
What I’m trying to say there is that we’d make fun of it, of course we would. However, you’re right that we would probably want to help it, too.
You managed to access a placeholder website that did not contain budget materials. When budget materials were subsequently added, the security was updated and you could no longer access the site. How is this news?