DigiD sessions small number of municipalities were possible hijack




The websites of twelve municipalities were vulnerable to an issue where the root login data from the Microsoft IIS server were to find out. This had led to intercept. Include DigiD sessions in theory

Digid logo The vulnerabilities attackers to run code on the website, for example intercept DigiD sessions. This confirms Logius, the organization responsible for, among other DigiD. An attacker would also be able to penetrate through to the internal network of the municipality thinks Erik Westhovens of DinamiQs that the security issue was on the track.

A total of twelve municipalities were affected by the vulnerability. “Due to the leak anyone could obtain full control of the web server”, said spokesman Rick Source Logius. According to him, it is a specific version of a CMS. “We have to be done by security firm Fox-IT, research and it shows that there is no abuse is made of the leak.”

Researchers DinamiQs entered the security issue on the track at an audit of a widely used CMS system ‘, which also appeared to be used by the municipalities. In addition, they could read a file containing data from the system administrator of the Microsoft IIS server stored. “Why were those data in that file is a very good question,” said Westhovens.

It is unclear how the DigiD sessions could be hijacked, the user enters his username and password, after all, on the website of the municipality, but is redirected to a login form on Digid.nl. The session IDs could potentially be stolen, or the company is referring to a scenario where the DigiD login form is spoofed. Logius and the discoverer of the leak would not go into that.

According Westhovens the content management system used by many municipalities. “We think half or more of all municipalities,” said Westhovens. Among them were four of the ten largest municipalities. Westhovens does not specify which municipalities are. “I do not think properly.” Other companies and healthcare institutions would use the CMS, although it is not clear whether it also used the vulnerable version.

The bug has been patched, but was open between eight and twelve months. The scanning tool that Westhovens and his company used, Nikto, also indicated that the vulnerability was already known.

Earlier on Wednesday wrote De Telegraaf all about the security issue: According to the newspaper to “millions DigiD users’ change their password. That seems to be better than, given the small number of affected municipalities. Westhovens of DinamiQs calls the news of De Telegraaf therefore bluntly.


In: Technology & Gadgets Asked By: [15519 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »