Feeds

CEOP accused of misleading public over site security fail

User who discovered the flaw says agency 'whitewashed' insecurity incident

Seven Steps to Software Security

The person who discovered that the child abuse reporting mechanism on the website of the Child Exploitation and Online Protection Centre was insecure has reacted with anger to suggestions from the agency that the flaw had only affected surfers visiting the site from either Facebook or Google.

He says that contrary to CEOP's claims, the child abuse reporting page itself – and not just a landing page – had been available via a webpage that failed to apply an industry-standard SSL connection for the transmission of highly sensitive material. As a result confidential abuse reports submitted through the page would have been sent "in the clear" making them vulnerable to eavesdropping, according to Terry B, the person who discovered the flaw.

After the discovery of the problem, CEOP issued statements to the media, including El Reg and the BBC, downplaying the severity of the flaw, which was quickly resolved. In a statement, CEOP's chief exec, Peter Davies, said: "The risk was a hypothetical one and there is no evidence to suggest anyone's details have been jeopardised."

A spokeswoman further assured El Reg by telling us that the abuse report form itself was always encrypted and the problem, such as it was, was limited to users arriving from either Facebook and Google at a HTTP landing page on CEOP's website. It would have been better to have used a secure HTTPS page instead, CEOP admits, adding that the security weakness (which it said was fixed on the same day as notification) could only ever have been exploited by a "technically advanced" hacker.

Nonsense, according to Terry B, who has complained to data privacy watchdogs at the Information Commissioner's Office over both the flaw and CEOP's reaction to the problem.

Terry B has also arranged to speak to his MP over what he perceives to be an "attempted whitewash" and the difficulties that he has had in making a complaint about CEOP, for example its failure to provide him with a complaint form or a copy of their complaints process.

CEOP therefore stands accused of not only being more than a little clueless about web security, but of making misleading public statements about its mistakes.

We put Terry B's criticism to CEOP, asking whether it had anything further to say on the matter, but had yet to hear back from the child protection agency by the time we went to press. We'll update this story as and when we hear more.

Presumption of risk

Terry B told El Reg: "I am upset at Peter Davies from CEOP claiming that the vulnerability was only accessible from third-party sites such as Google, Yahoo! etc.

"The vulnerability was on the CEOP website itself. The reporting page itself was going over HTTP (insecure) and not HTTPS (secure)," he said, adding that CEOP had failed to apply an SSL connection by default.

Despite CEOP's assurances, Terry B still contends that there had been a real risk that highly sensitive child abuse reports were left open to interception.

"People who have submitted reports might think that they are only affected if they have submitted through Google etc," he said.

The highly sensitive and personal nature of the data submitted – which would include suspicions of child abuse – threatens not just victims but also those suspect of abuse, should the information fall into the hands of vigilantes.

"You have SSL on e-commerce sites because there is a presumption of risk," Terry B explained. "That's why CEOP's report function must run over an SSL link."

He said he had only contacted the media about the issue after the flaw had been resolved. He confirmed that CEOP had changed its site to use an SSL-encrypted connection by default within a day but is otherwise highly critical of the whole business, describing it as a "whitewash".

Terry B added that despite quickly carrying out some security improvements, CEOP had still left the insecure reporting page available to users by allowing the reporting page to be accessed simply by typing in the address directly or following old (and insecure) http links.

The Information Commissioner's Office has confirmed that it has launched an investigation into the incident, which remains ongoing.

CEOP was set up in 2006 to lead UK policing efforts in the fight against child abuse. It also runs education programmes. CEOP successfully lobbied for Facebook to put a panic button on its website, a measure the social network introduced even after criticism that the measure, though well-intentioned, was misconceived and bound to be ineffective. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.