The default login option[1] for agents used by the Australian Taxation Office (ATO) is vulnerable to a code replay attack, security researchers Ben Frengley and Vanessa Teague said.
Writing in a blog post[2], the pair described that an attacker could use a malicious login form to capture user details, which the attacker could then use to login into other accounts held by the myGovID user.
The nub of the attack is that when a myGovID user attempts to login into a site, they are asked to input a four-digit code into the myGovID smartphone app to verify the login -- no passwords are used, and the only identifying piece of information is an email address.
If the attacker can capture an email address, that can be used by the attacker to log into another myGovID service and replay the generated code to the user to enter into the myGovID app. Once the code is entered, the user will believe they are logged into a proper site, while the attacker can simultaneously log into their account elsewhere.
The user is not alerted to the other login taking place.
"This attack is detectable by a diligent user who understands the protocol well enough to know that they should only accept 4-digit codes from mygovid.gov.au (and knows how to check for TLS)," the pair wrote.
"However we believe that there are very few users in this category, because it is a counter-intuitive protocol designed to reverse the information flow relative to what users are accustomed to."
The suggested short term mitigation from the researchers is to inform users about what site is requesting a login, and for the long term, the pair recommended ditching the framework altogether.
"In the long run,