GSA Bidding Site Compromised By Flaw

thomville writes "NY Times reports that eOffer, the government site allowing on-line bids for contracting government computer services, allowed viewing and modification of other contractor's corporate and financial data." From the article: "The security flaw, which could have permitted contractor fraud, was reported to the agency's inspector general on Dec. 22, but almost three weeks passed before the system was taken offline Wednesday afternoon. The General Services Administration is the federal agency responsible for procuring equipment and services, including computer security technology, making the lapse all the more striking. 'This is the government entity responsible for letting contracts for security,' said Mark Rasch, chief security counsel for Solutionary, a security firm. 'Clearly the people who log in would know about security.'"

ComputerWorld has more detail

[joeflies]

Computerworld article Apparently the "Flaw" was that records were accessed by a unique ID in the URL. Change the Unique ID, see a different record.

The site used digital certs to protect authentication, so it wasn't amtter of the wrong users getting in. But once inside, clearly there's a problem with access rights (the app probably accessed all records as privleged user) and coding.

Re:Tripwiring flaws

[DrMrLordX]

An interseting theory. However, the kind of data available due to this exploit was sensitive enough that the GSA would have been nuts to let it leak to competitors in the first place. One violater could have racked up tons of data on other bidding firms and distributed to any number of non-violaters, so the prospect of punishing exploiters later doesn't really make up for the fact that dozens, if not hundreds, of firms could wind up with sensitive data without ever being caught by the GSA.

Ok, but..

[CCFreak2K]

Did they find who left the Sony Music CD in the drive when they were done listening?