The authentication process via German ID cards with RFID chips to certain web services can be manipulated to allow identity spoofing and changing the date of birth.

German identity cards issued since 2010 come with a radio frequency identification chip that stores information about the holder. This includes name, date of birth and a biometric picture. If the holder so chooses, it can also store their fingerprints.

RFID chip used for logging in

The new cards are machine-readable and can be used as travel documents in most countries in Europe, as well as for authentication into online government services (tax, mail) or for age verification.

Authentication via the RFID chip is possible using a smartcard reader and an eID client application that communicates with the RFID chip and an authentication server to validate the login data.

To prevent tampering with the ID card data, the authentication server checks the validity of the information and then signs its reply, so that the web service can trust the legitimacy of the data received.

German Federal Office of Information Security (BSI)

Authenticating with Goethe's name and address

Wolfgang Ettlinger researched the vulnerability for SEC Consult Vulnerability Lab abd and able to bypass protections from the authentication server and fool the web application to accept the altered data.

The vulnerability is in the Governikus Autent SDK, a software component that enables companies to add the ID card authentication feature to a web service.

The researcher found a way to manipulate the response from the server without breaking the seal of trust given by the digital signature.

Ettlinger was able to authenticate with an arbitrary name against a demo version of an eID client (AusweisApp). The expert changed the eID holder's name to Johann Wolfgang von Goethe and used the address (Frauenplan 1, 99423 Weimar) the writer lived at for 50 years, where today is the Goethe Museum.

This was possible by providing the web app a reply containing a valid signature from the authentication server and then delivering a manipulated response with the card ID details, which does not require validation.

Pulling this off works when the exchange of the authentication and authorization data relies on the Security Assertion Markup Language (SAML) standard.

The vulnerability abuses the fact that Governikus Autent SDK verifies the signature using a method that does not consider the possibility of a parameter occurring multiple times. This way, once a parameter is validated, other instances are parsed as if they already passed verification.

"If an attacker supplies multiple parameters named SAMLResponse, the signature is verified against the last occurrence of the parameter, while the SAML response that is processed further, will be taken from the first occurrence," the researchers explain.

Exploiting the vulnerability

For the manipulation to be successful, an attacker needs a query string that has been signed by the authentication server. Details like the time of the signature or the individual this was requested for are irrelevant.

Even if the query string is valid for a brief period, the expiration check is carried out for the data on the ID card.

According to the researchers, getting a valid query is not difficult if you know where to look, as they are available with a Google search for eID client logs.

The researchers demonstrate their findings in the video below:

Web applications running Autent SDK 3.8.1 and earlier handling duplicate HTTP parameters are vulnerable. SEC Consult disclosed the details of the issue privately to CERT-Bund in July and Governikus patched the vulnerability in version its SDK.

Some websites supporting eID authentication are less vulnerable to this attack, like those that use require an initial registration and use "pseudonyms" instead of the real name of the ID card holder. Pseudonyms are random strings of characters acting as a unique card-specific identifier; they are stored by the web app when the user registers an account.

"As another user’s pseudonym is not easily guessable, an attacker cannot login as another user. The account creation step, however, is still affected by this vulnerability as the attacker could simply generate a random pseudonym," the researchers say.

Related Articles:

WordPress Security Patch Addresses Privacy Leak Bug

Microsoft December 2018 Patch Tuesday Fixes Actively Used Zero-Day Vulnerability

Apple Fixes Passcode Bypass, RCE Vulnerabilities, and More in Today's Updates.

Adobe Flash Player Update Released for Remote Code Execution Vulnerability

UK's NCSC Explains How They Handle Discovered Vulnerabilities