Alberta Legislator Who Tested Security of Provincial Vaccine Website Facing Possible Fine ⇥ cbc.ca

Janice Johnston, CBC News:

[Edmonton-South West MLA Thomas] Dang has said that last September, a computer-savvy constituent contacted him with concerns about potential vulnerabilities on the newly launched Alberta Health vaccine portal.

According to a court document, Dang told RCMP in a January interview that as an MLA with experience in cybersecurity it was his duty to ensure the system was secure. But an Edmonton cybersecurity expert disagrees.

[…]

Between Sept. 19 and 23, Dang’s computer program made 1.78 million queries using [Alberta Premier Jason] Kenney’s personal information. Dang admitted to RCMP and later during a news conference that the queries were randomly generated guesses aimed at revealing the premier’s health-care number.

This is clearly an unethical, unsanctioned security test for which Dang is lucky to not be facing criminal charges. But it is utterly shameful it was possible to test 1.7 million queries against the vaccine portal in four days, which works out to about five or six guesses every second.

I tweeted in support of Dang but I can also see how bad this looks for the security industry. The Government of Alberta does not run a bug bounty program, so there is no presumptive authorization for testing the security of its public systems. Dang, even if well-intentioned, had no permission to try this.

Even so, preventing brute force attacks is a bare minimum level of security anyone should expect. In attempting to build a proof-of-vaccination system, the Alberta Government created an automatic health number and identity validator. It is impossible to say how long this would have remained a problem had Dang not raised the issue as early as he could, but it is worrisome it was released this way in the first place.

Dang says he will not run for re-election; his term in office ends in May 2023.