By Innocent Anaba
A tech firm, WebITScure.com, has faulted the Electoral Committee of the Nigerian Bar Association, ECNBA, portal for the Nigerian Bar Association, NBA, national elections slated for July 29, saying it was vulnerable.
Director of Professional Services, WebITScure.com, Mr. Trend Makarios made the assessment in a ‘Vulnerability Assessment Report of the NBA portal, done at the behest of Mr. Olumide Akpata, one of the presidential candidates of the NBA national elections.
Makarios said: “In line with concerns citing reports of users on the NBA portal complaints of user password being changed without their initiating such action, and your request for a vulnerability assessment of the Nigerian Bar Association, NBA, portal, we carried out a vulnerability assessment of the web platform with IP 220.127.116.11 and came up with the following deductions:
“The NBA Portal is built on Drupal 8, an Open Source Content Management Software. The platform is a template edited for the NBA; the NBA portal has a vulnerability severity rating of between 4 and 7, based on discovered vulnerability exposures; and the following vulnerabilities where discovered on the platform, Cross-Site Request Forgery, CSRF.
“Cross-Site Request Forgery is an attack that tricks the victim into loading a page that contains a malicious request.
“It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf, like change the victim’s e-mail address, home address, or password, or purchase something.
“CSRF attacks generally target functions that cause a state change on the server, but can also be used to access sensitive data.
“For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user’s session cookie, basic auth credentials, IP address, Windows domain credentials, etc.
“Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request.
“In this way, the attacker can make the victim perform actions that they didn’t intend to, such as log out, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.”