21 July 2015
Exclusive: Visa application portal closed following SC Magazine investigation
By Davey Winder
After The Guardian broke the story of the security breach in VFS Global, SC Magazine UK investigated further, and discovered that the issue remained unsolved several days later. Based on the input from Alexey Utkin of DataArt UK and its own research, SCMagazineUK.com forced the visa application portal closed. The exclusive story tells the details.
"We first became aware of the latest security failure in the visa application system when SCMagazineUK.comwas approached by Alexey Utkin, head of financial practice at technology consultancy DataArt UK. Utkin pointed us in the direction of the Guardian story which broke over the weekend, and was concerned that the promised fix had not been properly implemented. Unaware at the time that he was talking to the journalist responsible for breaking the original story back in 2007, Utkin thought we would find the simplicity of the vulnerability unbelievable. He was right, but equally unbelievable was the fact that a system responsible for taking Schengen Visa applications for Italy visa applications submitted in UK could remain so fundamentally broken on the security front as we soon discovered.
But things got worse, a lot worse, when Utkin revealed that while what he refers to as the "surface manifestation of the problem" was removed by the Thursday, the fix that had been put into place was just as broken. "I immediately managed to spot another way to access any other applicant data without any special tooling" Utkin says "this once again confirms VFS incompetence in the data security matters on multiple layers, matters which should be so central for their business." And Utkin should know, he has worked for many years with DataArt and appreciates the kind of design, testing and security audit practices that should be applied to systems engineering, particularly systems containing such sensitive data as the visa application system.
"I was surprised that VFS didn't apply any of these principles in the new Italian visa system, showing total incompetence in the area of application and data security" Utkin told SC, concluding "I can understand software bugs but, from my experience, I am sure that in this case it was a systematic failure throughout. Problems like that wouldn't ever happen if people who designed the system knew the very basics of secure systems architecture or if system has been tested and security audited."