German finance agency suspends site over serious security bug
There goes the national debt
Germany's federal finance ministry has pulled its website offline after receiving notification of a serious security problem from white hat hackers affiliated to the Chaos Computer Club (CCC).
Flaws on the the Federal Finance Agency website reportedly created a means to spy on customers of the government agency, steal login credentials or run phishing attacks. The bug reportedly existed for months before CCC stumbled upon the flaw. It is unclear whether or not the vulnerability was ever exploited or used as part of any scam.
The agency – Deutsche Finanzagentur – is involved in the placement of federal borrowing as well as the managing of federal debt. It also provides an entry point for internet banking services provided by bundeswertpapiere.de.
Flaws in the configuration of the web server used by the agency created a means to mount hard-to-detect phishing attacks, according to an advisory (in German) on the breach published by CCC over the weekend.
A notice on the Deutsche Finanzagentur said that the site was temporarily unavailable without providing any indication on when services might be restored. ®