Monday, August 31, 2009

XSS Vulnerability in the Real Life: Passports

I'm traveling again. This time to Australia. I travel a few times a year, always departing from the U.S.

Each time I travel internationally, the check-in airline agent dutifully inspects my passport. The latter has acquired a sizable collection of visa labels, admittedly much flashier than the dull black-on-white photo page of the Polish passport. The visas usually occupy the whole page, look nice, and are formatted to somewhat resemble a passport page -- they have a picture, same personal data, and the two machine readable lines on the bottom.

Each and every time the airline personnel will ignore the photo page and look at the first official-enough-looking visa. Somehow it always happens to me in the U.S., and never abroad. Heck, they get angry at me for pointing out that they really should not be looking at the flashy visa labels, but at the picture page. Sigh.

Call me paranoid, but if this isn't a huge honking screaming-in-yer-face security vulnerability in the passport inspection process, then I don't know what is. It's like the cross-site scripting vulnerability. You have a trusted webpage (document), and a third party can inject arbitrary data and have it be trusted just the same. IANAL, but last time I checked anyone can stick anything into the visa pages of a passport.

Next we know, someone will find that a system that dutifully reads and trusts machine readable pages will have some sort of a null-terminated string vulnerability. Perhaps one that can lead to executable code injection. Thus we make the full circle: from code on punched cards, to code on optically machine-readable paper. Not that some card readers didn't use optical readouts, mind you :)

No comments:

Post a Comment