The company hosting a website that processes visa applications from Indian citizens wishing to travel to the UK had a security hole for over a year allowing someone to view and modify the details of other applicants. The potential abuse of this flaw by criminals and terrrorists is frightening as it could have allowed them to submit and get valid visa applications allowing them to travel to countries they otherwise would not be able to go to. Why run the risk of forging a visa when you can simply use this security hole to obtain a valid one?
The fact that this vulnerability existed for over a year without the authorities responding to it is reason for grave concern. What is the point of implementing strict border controls and enhanced checking of government issued travel documentation if the authorities ignore a security hole for terrorists and criminals to exploit allowing them get valid visas?
All security systems should be viewed in their entirety and not simply focus on certain elements within that system. In this case focusing on one element of the system, checking for forged travel documentation to prevent criminals and terrorists entering the country, is completely undermined if these parties can obtain valid documentation.
It should also be noted that VFS Global, the company responsible for the UK visa application site, also processes visa applications for other countries such as the United States, Australia, Italy, France, Canada, Germany, Belgium, The Netherlands, Sweden, Thailand and Ireland. It appears visa applications to those countries were also affected as per http://www.dharwadkar.com/weblog/hack_us_visa.
I wonder if our Department of Foreign Affairs are aware of the issue?
The story first broke on Davey Winder’s Blog. Additional coverage of the story is available at these sites;