In a response to SMEX’s questions on Thursday (January 27), the Lebanese General Security claimed that personal data on the passport renewal platform (gs-appt.gov.lb) is safe, disregarding our concerns as “false news.”
Last week, the Lebanese General Security launched a new platform (gs-appt.gov.lb) for booking passport renewal appointments to solve the problem of overcrowding in application centers. After a quick inspection, SMEX discovered that the platform is lacking data security and privacy measures, as well as transparency, and that it’s powered by Hani Saliba Foundation, an NGO belonging to a candidate running for elections.
The platform’s developer responded to our thread in a post on Reddit explaining that the General Security’s platform is safe, confirming that it has the SSL certificate. The platform currently runs an SSL certificate, but it was missing on Thursday when we wrote our initial thread. (Read brief technical analysis below; more will be published next week).
In a recent statement on Saturday (January 29), the General Security thanked the 2022 election candidate, Hani Saliba, explaining that the “data related to citizens are kept by the General Directorate of General Security only, and the servers that store this data are secure.”
Accountability and Transparency
We urge other NGOs and civil society groups working on elections and transparency to assess the legal and technical aspects of this platform, which is funded by the candidate running for the upcoming elections, Hani Saliba. We must be extra diligent with any politically-affiliated initiatives popping up only a few months before the anticipated Lebanese elections. What are the checks and balances in place to stop candidates from using public institutions for political gain?
To evaluate the safety of the General Security’s platform for passport renewals (gs-appt.gov.lb), our team conducted a brief analysis of what might be problematic for citizens’ privacy. In the following part we address the issues of Transport Layer Security (TLS), an encryption that provides cryptography between two or more communicating computer applications, and a leak of configuration that we discovered in our analysis. A longer, more comprehensive blogpost about our findings will be published next week.
Encrypted user to website connection
SMEX warned about the unsecure connectivity to the General Security passport website in a tweet last Thursday. After our technical check, we concluded that the certificate is put in place through CloudFlare services. The certificate in place supports all the TLS versions including the latest TLS 1.3. However, the certificate should be disabled for TLS 1.0 and TLS 1.1 since they are deprecated and exploitable.
Results can be found here: https://observatory.mozilla.org/analyze/gs-appt.gov.lb.
Our analysis detected a configuration leak on the IP on which we suspect the platform (gs-appt.gov.lb) is running now. This configuration leak was found in a development environment in which the developers of the application test out the app before making it accessible to the public and fully functional. It’s a bad practice to put development environments publicly as it might pose a security risk.
The configuration leak contains Database configurations such as database name, username and password, and some sensitive information. It’s important to note the danger of deploying development code on publicly available servers, as important information concerning the platform might be revealed.
Notice: We obstructed sensitive information in the above picture in order to protect Lebanese citizens from any potential harm or breach.
- The General Security, as well as any other public or private entities, must consider privacy and security by design: from policies to tech executions.
- Although we understand the need for a large set of older devices compatibility, we strongly recommend disabling TLS 1.0 and TLS 1.1.
- We urge General Security to change the database username and password immediately if it matches the one that has been leaked through the .env configuration file.