Researchers find leaks in German government communication system
Researchers at the Austrian security firm SEC Consult have found leaks in a collection of protocols for the German E-Government system. This enables communication between government agencies and between the government and the citizen, among other things.
It concerns leaks in the so-called OSCI, which forms the basis of the German E-Government system. The researchers focused on OSCI’s Java library. They found several vulnerabilities in it. For example, it is possible to read data on a target’s system via modified XML data or to carry out a dos attack. In addition, it was possible to crack encryption, because outdated algorithms are used.
Another leak made it possible to modify the content of a signed message without invalidating the signature. The company has, among other things, collaborated with the German BSI to close the leaks found. The necessary patches have already been released.
OSCI, or online services computer interface, is supposed to ‘provide a secure format for the exchange of data’. According to SEC Consult, the system is used for public care, civil status, documents, registration of persons and communication within the Ministry of Justice. The OSCI protocol is based on XML and is usually sent over HTTP connections, the company said.