Security vulnerabilities at the IGF registration process

By APCNews     BALI, 25 October 2013

Two of the main areas traditionally discussed in the IGF are security and privacy and the fundamental role they play in making the internet a safe space for us all to exercise our right to freedom of expression, freedom of association, and freedom of assembly.This year’s edition was not and exception and the security of the internet was discussed from the perspectives of the users, governments and business. Several times panelists insisted that cybersecurity starts at home and people need to be sensitised to that.

Yet, there was a major security vulnerability in the registration process that nobody noticed or raised.

When registering for the IGF, participants may have exposed their personal data, including full name, ID/passport number to criminals, spies, intelligence agencies and dragnet surveillance programmes. After registering, participants received an email with a link that contained both their email address and passport number. The link was to a PDF that contained amongst other information, full name, date of birth, ID/passport number and expiry date, and residential address. By clicking on this link, all this personal information could be potentially accessed by anyone eavesdropping at any point on the internet through which the email passed. The link did not expire after it was downloaded, so it could be downloaded infinite times, from any location. Whats more all the participants emails remained on the IGF website, meaning that in the instance of a security breach all the participants’ registration forms could be downloaded.

None of the cybersecurity “experts” or stakeholders raised the issue until Alex Comninos, from the APC delegation revealed the vulnerability.

Alex Comninos has approached the IGF Secretariat team which was very receptive to these concerns, and the personal information was deleted off the website. The data, if not allready leaked, is now safe.

The IGF has struggled with very limited resources to make an easy to access website with a wealth of historical information spanning 8 years of IGFs. The site however has limited budget and limited resources for maintaining and securing the site. The MAG, Secretariat, and all Stakeholders should make the commitment to protect the security if all IGF participants. Furthermore delegates themselves should commit to understanding and ensuring their own security. Looking forward, such awareness on the part of all stakeholders is essential for secure IGFs.

The whole incident draws attention to the fact that security starts at home. It would be constructive if we could focus on real cybersecurity issues at the IGF that affect us as netizens. Focusing on defensive rather than offensive measures and the security of software and security of people, rather than the national security of states.

Read the full blog by Alex Comninos