GSA takes down eOffer after finding security flaw
- By Michael Hardy
- Jan 13, 2006
The General Services Administration took down the eOffer electronic commerce Web site after a contractor discovered that anyone with access to the system could change bids submitted by other contractors.
Jennifer Millikin, deputy director of communications at GSA, said in a statement that the agency believes they learned of the problem before any users were harmed.
"The glitch was brought to our attention by an authorized user of the site," Millikin said in the statement. "Once informed, GSA immediately shut down the site and began taking corrective action. The agency also launched an intensive search to identify possible irregularities within the other electronic tools GSA provides to its customers."
Aaron Greenspan, president of computer security firm Think Computer, discovered the vulnerability. Greenspan was trying to file documents to apply for a GSA Schedule 70 contract through the system when he discovered that he could summon documents filed by other companies and change them.
Greenspan said he deleted one of his documents after discovering a minor error, and when he filed the corrected version, he noticed that the identification number advanced by one. Out of curiosity, he typed in the original number and got the original document.
Then he tried a number chosen at random, and the system delivered a document filed by a different company.
“The system had no authentication at all," he said.
Greenspan said an unscrupulous user could exploit the flaw to easily call up bid documents from another company and modify them. It would require only an account on the system and the other company's identification number, which is not private.
He said it would not have been difficult to seal the hole during the system’s development.
“I know how the code generally works," he said. "You need about five more lines to make sure the person with the [company identification number] actually owns it. That’s what they were missing.”
GSA launched the site in May 2004 to allow companies to companies to electronically submit the required documents for GSA schedule contracts. As of this morning, the site remained down.