GSA Bidding Site Compromised By Flaw

thomville writes "NY Times reports that eOffer, the government site allowing on-line bids for contracting government computer services, allowed viewing and modification of other contractor's corporate and financial data." From the article: "The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. 'This is the government entity responsible for letting contracts for security,' said Mark Rasch, chief security counsel for Solutionary, a security firm. 'Clearly the people who log in would know about security.'"

ComputerWorld has more detail

[joeflies]

Computerworld article Apparently the "Flaw" was that records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

The site used digital certs to protect authentication, so it wasn't amtter of the wrong users getting in. But once inside, clearly there's a problem with access rights (the app probably accessed all records as privleged user) and coding.

Wow. Government inefficiency. Surprise.

[SMS_Design]

Having seen how the Gov't works in regards to computer systems, this is no surprise. Something gets reported, sits in an inbox, is read by someone who doesn't care, so they forward it to someone else.. eventually, it hits the inbox of someone who cares. This person is the exception, not the rule. As soon as someone becomes a federal government employee, you can almost watch as they just stop giving a damn about anything.