Okla. agency site plugs coding error that left data exposed

Computerworld - It's rare that someone looking to steal personal data from a Web site need only submit their own SQL query to pull the data of his choice from the underlying database.

But for the past three years -- until this week -- that's just what anyone with a basic knowledge of SQL could do while visiting the Oklahoma Department of Corrections Web site.

That's according to security blogger Alex Papadimoulis, who earlier this week wrote about how he had exploited a fundamental programming error on the site to download more than 10,500 records with Social Security numbers. The records involved people listed in the Oklahoma's Sexual and Violent Offender Registry.

Also exposed were records containing Social Security numbers and personal data on other types of offenders, as well as employees working at the department.

In an interview, Papadimoulis said the coding error, which now appears to have been fixed, affected the search pages of the Sexual and Violent Offender Registry and the General Offender registry. "The main problem was that the URL contained the computer code required to display data on the page, which is a big vulnerability," he said. "Anybody could change the code and have the page display whatever he would like it to display."

Papadimoulis posted screenshots of the records he had captured to prove his point.

Papadimoulis said it took less than a minute for him to figure out how to modify the code to download records containing data from the site. Instead of validating the request or even considering the user input, the site was designed to blindly execute whatever code a user might tell it to execute, he said. "This is the most extreme case of not validating user input. It really is the most basic of errors," he said.

According to Papadimoulis, the flaw allowed anyone to craft queries to access data in the offender databases as well as from other data stores they might be linked to. It could have even allowed for records to be modified, deleted or added. "I didn't try that," he said. "What I did was I told them this was really, really bad."

The first attempt at fixing the issue was not very successful, Papadimoulis noted in his blog. "Their brilliant developers plugged this pothole with a pebble by doing nothing more than a case-sensitive search/replace of 'social_security_number' with 'doc_number,'" Papadimoulis said.

When Papadimoulis again demonstrated how that fix did little to alleviate the problem, Oklahoma Department of Corrections officials finally pulled the site down for maintenance and corrected the issue.

Jerry Massie, public information officer for the agency, today confirmed the flaw and said it has been fixed. "[Papadimoulis] notified us on Thursday evening that he had been able to manipulate the database," Massie said. "There was a weakness in the application." He did not elaborate further.

Massie noted that the records in the sex offender database were all public records anyway, and that the only protected information involved the Social Security numbers.

"We shut the site down on Friday and put in a fix that we thought would work," Massie said.

Papadimoulis noted that the Oklahoma Department of Corrections has put out a request for proposals (download PDF) for consulting services interested in helping the agency acquire a new offender management system. He added that it is not clear whether that move is related to the recently disclosed breach. Massie was unable to clarify that as well.

The request for proposals is dated April 4, one day after Papadimoulis pointed out the problem to the department.