Concerns over British visa website security bug

gallery

Problems with the website that revealed the personal details of people applying for visas in Britain is more widespread than first thought, the company behind the website admitted.

The flaw, exposed by Davey Winder, a contributor and blogger for both IT PRO and sister publication PC Pro, occurred on the VFS website, the British High Commission's partner for processing UK visa applications. By changing a few numerical identifiers in the website's URL, visitors could gain access to the company's database. The details that have potentially been revealed include passport numbers, addresses, names, family details and travel plans.

The hole was first discovered by a Visa applicant from India, but it has since been revealed that the same flaw existed for applicants from across the globe. VFS handles British visa applications from India, China, Russia and several other countries. It also handles visa applications for a dozen other countries.

When Winder asked Uttam Lahiry, Head of IT for VFS Global, if the problem was worldwide and if it had been fixed accordingly, he responded "it is (sic) been resolved globally".

Winder claimed that the sheer scale of the problem could have huge implications for international security. "With some of these clients dating back to 2001 it becomes clear that the potential number of people whose data was at risk of exposure rises from thousands into millions," he said.

"VFS Global claim to handle 3 million applications per year, do the maths..."

Email to a friend

Print this page