Oklahoma Department Of Corrections Website Exposed Sex Offenders Data
A critical flaw in the Oklahoma Department of Corrections website allowed (until recently) to extract any sensitive information from the database at will. SQL queries failed to perform any input validation on the information being presented from a database extended to every offender that had been sentenced to probation or incarceration within the Oklahoma Correction system, and not just those convicted of sexual or violent offenses. It also allowed the retrieval of Department of Corrections employee records and medical activity.
While having the ability to do this to any database of personal information maintained by a government body is a problem, the fact that it concerned the state’s Sexual and Violent Offender Registry means that there is more likely to be individuals and groups of people with a motivation to obtain or hide records in the database, and not necessarily socially beneficial motivation.
When notified of the flaw, the Department of Corrections modified the site so as to close the hole as reported, at least that is what initially appeared to be the case. It was soon discovered that the only change had been to perform a case-sensitive look up of some table data and left the hole wide open. It wasn’t until it was shown that employee data could be returned that the hole appeared to be closed off for good.
The developers executed several critical errors in establishing the site. They allowed a database with sensitive content to be accessible from the Internet. They also allowed queries from the website to access any of the information in that database and did not perform any filtering of the anonymous GET requests, which allowed to execute the SQL requests and returne the results to anyone. Furthermore, the SQL queries required to extract information were placed inside GET requests from the browser.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.