GSA's vendor Web site closed to fix security flaw

Computerworld - A Web site used by vendors to register and bid on government contracts through the U.S. General Services Administration (GSA) was shut down Wednesday for repairs after one user reported security problems that allowed him to view and potentially change bids by other vendors.
The GSA's eOffer/eMod Web site is used by vendors that want to do business with the government and enables them to electronically prepare and submit their applications. It was taken off-line to allow IT workers to repair the apparent flaw, said GSA spokeswoman Jennifer Millikin.
"When we were alerted, we took it down immediately," she said. Technicians will work through the holiday weekend to fix the problems. The site is expected to be back in operation by the middle of next week, she said.
A message on the Web site today said, "The eOffer system is down for maintenance. Please pardon the inconvenience, thank you."
The security problem was discovered Dec. 22 by Aaron Greenspan, president and CEO of Dallas-based Think Computer Inc., a one-man Web software development company that also does IT and security consulting. In an interview today, Greenspan said he found the security glitch accidentally when he tried to resubmit his application to become a government vendor. His initial application was rejected based on an incorrect price that he entered. His second application had an extra space in one line, but the Web site wouldn't allow him to remove the space. He deleted the second application, corrected it, then uploaded it again to the GSA server as required.
On a hunch, he checked to see if he could still access the first aborted application and was surprised to find that it was still visible through the Web site. Further investigation found that he was able to access other applications from other vendors by modifying the unique ID number on his second application, he said.
Using a different ID number, Greenspan was able to see bid data, pricing, personal contact information, confidential financial data and more about other vendors. The information could also be downloaded and potentially changed before being uploaded back to the Web site, he said.
Greenspan prepared a six-page white paper (pdf format) detailing his findings.
"When it is my documents that are up there, and they're giving other people potential access to them, that's not OK," Greenspan said. "I'm glad they shut down the site. That means they're taking it seriously."
He was, however, not happy that it took the agency more than 20 days to investigate his claims before