Agencies advised of Companies Office fault

An issue arising from iGovt connection saw users wound up in other people's accounts

All government agencies have been advised of an issue arising from an iGovt connection to the Companies Office.

At this stage, it’s thought to be a technical fault where users at one site wound up in other users’ accounts when they tried to access the web site.

Department of Internal Affairs spokesperson Michael Mead, says all government agencies are being told of the issue by the Government CIO and asked to confirm that the problem does not exist on their systems, or to apply the appropriate fix.

“We have followed up, confirmed the technical fault relates to a single page on the Companies Office website and does not originate with the iGovt logon service. The Companies Office has now fixed the problem,” he says.

“At no time were the details of companies on the Companies Office website at risk.

“The issue was this: information was requested from the Companies Office site by a small number of users all working through a local cache server.

"The issue appears to have been limited to a small pool of users in very specific circumstances. Based on the information logged by the user, we have concluded that under unique circumstances it was possible to view another user’s credentials that had been cached earlier at the user’s local site.

“For this circumstance to arise, the users had to be located at the same site and accessing the same exact ‘type’ of details in the same defined time period, and be on the same proxy server.

“This was possible because the configuration on this one page of the Companies site being accessed did not include an appropriate instruction to prevent the caching offsite of non-static information. This missing single line of code should be routinely included to avoid the problem identified.”