Overview
CivicPlus provides a web platform for local governments. Included in this platform is the ability to send notifications to residents that opt in for those notifications. These notifications can be sent via email or SMS. They have their security FAQ, which answers several questions, except for the important one.
My local municipality became a CivicPlus customer in 2018.
Vulnerability
West Fargo opted us in via the email address we were using for our utility bills. West Fargo has been pretty proactive about communication over a variety of channels with respect to what is going on in the community. I wanted to sign up for additional alerts. The site follows the standard mailing list method of sending a verification message to the address when changes are made, or the account is first signed up.
The change messages have a one time code in them to validate the change. However, the URL to view your settings is simply http://www.westfargond.gov/list.aspx?mode=Unsubscribe&Email=<email@address>&CID=255. That’s it to log into the site. When you are logged into an account, you can view the subscribed lists and the email address, which you already know. In addition, if the user has signed up for SMS messages, you can also see the last four of their phone number. The area code and exchange are dotted out, and those aren’t sent to the browser. Still being able to convert an email address into the last four of a number with zero effort is less than ideal. See Kreb’s recent article about Why Phone Numbers Stink As Identity Proof. This is a slightly different problem than covered in his post, but being able to convert email addresses into a partial number doesn’t help. Email addresses are generally a lot less private than phone numbers.
Communication
For a company that tries to put an emphasis on security in their marketing, their FAQ and site in general is conspicuously missing a vulnerability disclosure policy. I had to send an email to their help address asking about their VDP. That forced me to create an account in their ticketing system with ZenDesk. That naturally had certificate problems. I ended up having zero success trying to communicate with the company.
I also notified my municipality about the issues I found with their site. They were responsive, and were able to directly follow up with the company. When I made an inquiry a couple of weeks ago to close this out, WF sent me the response from the company. Thank you to West Fargo for working with me on this.
Resolution
Response to the city from CivicPlus was along the line that it was just the last four of the phone number, and it wasn’t likely that “another citizen is going in with a specific email address”. I wasn’t worried about another citizen, I was worried about someone up to no good. You don’t design security systems around the idea that everyone will be a good actor.
What they should do is just send an email with a one time unique code to let the person back into their account. That would eliminate the need to create another account, and prevent anyone in the world from poking at random addresses and perhaps seeing parts of phone numbers. But instead, no action has been taken as the company doesn’t see it as a problem. They also don’t have a security researcher response mechanism to go along with their security claims. So ideally they’d post a vulnerability disclosure policy.
Recommendation
Don’t put your phone number in for CivicPlus notifications. It’s really that simple. Likely most people aren’t signing up for the SMS messages, but there is even less reason to do so now. CivicPlus is in a lot of cities, so your town may be using their services.
Communication Timeline
- November 26, 2018 – Email to only address available on site for VPD
- November 26, 2018 – Ticket created from email
- November 26, 2018 – Contact with West Fargo
- November 28, 2018 – Ticket closed with zero information
- Early March 2019 – Direct Message via Twitter to find security contact, no response
- March 5, 2019 – Contact with West Fargo to see if they heard back. Quick response and info from November 28, 2018 response from CivicPlus saying it isn’t a problem.
- March 20, 2019 – Publication