As our mission is to protect Lebanese citizens’ right to digital privacy, we ran a technical security and privacy analysis on the government-owned platform corresponding to the National Poverty Targeting Program (NPTP), nptp.gov.lb. Our findings reveal crucial vulnerabilities that would compromise the personal data collected on the website.
NPTP was launched by the Lebanese Ministry of Social Affairs in 2011; it is funded by the World Bank and operated by the Lebanese Government. A source at the World Bank told SMEX that they are not involved in the online platform launched by the Ministry. We contacted the General Director of the Ministry of Social Affairs inquiring about the platform and its security issues, but we have not received any response so far.
Technical and Legal Analysis
The most relevant problem we noticed is the lack and absence of SSL encryption on the website. The data transmitted from users on the website, and especially on http://nptp.gov.lb/Complaints/NewComplaint, is sent in plain text to the server located at the following IP address 89.17.127.42.
The previously mentioned link requests a name and a phone number. This is a breach of users’ privacy since ISPs and middleware between the user and the server are not encrypted. This may lead to data sniffing and the collection of personal information without the consent of users. This also constitutes a breach of Article 93 of Law 81/18 under the ‘E-transactions and Personal Data Law’ which states that:
“The personal data processing officer shall take all measures, in light of the nature of the data and the risks resulting from processing thereof, in order to ensure the integrity and security of the data and to protect the same against being distorted, damaged or accessed by unauthorized persons.”
On another level, the servers hosting the NPTP application are an outdated version of Windows IIS server (version 7.5), which dates back to 2008. The fact that a server belonging to the Lebanese Government is hosting an outdated version indicates the absence of patch management or vulnerability monitoring by the NPTP web server managers. This implies the potential exploitability of this server and might lead to leaking private citizen information.
We also detected several CVEs (Vulnerabilities) on this server that expose it to potential threats. We will not communicate these CVEs publicly as it might endanger citizens’ data. However, we can reveal that we found three CVEs of high severity that must be remediated immediately. These CVEs can impact the availability and the confidentiality of the NPTP server and pose a breach of the server.
Back in February 2021, during and after the Covid-19 lockdowns, we noticed that the nptp.gov.lb website has been widely circulated among citizens seeking to register for the poverty program. The increased traffic on the website exposed more citizens to possible data leaks and scams to spread fake links. We urge the Ministry of Social Affairs to update the website, publish communication channels and inform the public about the official body responsible for the website. We hope the Ministry responds as soon as possible.
Finally, the NPTP website does not have a privacy policy in any language.
Recommendations
We recommend the Ministry of Social Affairs and the World Bank funding the NPTP program to update the NPTP website and implement the following recommendations:
- Get an SSL certificate from Let’s encrypt and set it up on the server
- Adopt server hardening principles and policies
- Use automated patch management, a lot of potential solutions are available as open-source
- Use load-balancers and a WAF in from of the Web server instead of exposing it directly on the internet
- Develop a privacy policy for the program and the website, and publish it publicly on the website for the citizen’s awareness and what they are risking when providing their information to the program and on the website. On the contact form available on the website names and phone numbers are required and sent to the server in clear text without encryption, possibility of sniffing these data is highly possible.
- Use Recaptcha before form submission to avoid spammers and potential input injection attacks.
- State clearly and publicly the official body responsible for this website and program, and dedicate multiple communication channels, not just an anonymous phone number, to avoid scam attacks targeting people in need.
We are ready to help with new apps and websites looking to fortify their privacy and security, and we will – in partnership with Friedrich Naumann Foundation (FNF) Lebanon and Syria – expand our work on serving as a watchdog over citizens’ digital data on Lebanon’s government platforms.
