An update resulted in a weakness that could let hackers block users out of their own MitID accounts if the hacker knew the user’s personal registration or CPR number. The flaw has now been fixed, making the system secure, broadcaster DR reports.
The update, added to the system by Nets, the secure online payment system used in Denmark, resulted in a weakness that could allow hackers to send a log-in request by adding a CPR number to a browser URL, DR writes.
If repeated requests are sent without the user actually logging in, they can be frozen out of their digital ID, meaning they are unable to access public service platforms, online banking and secure payments.
The issue was identified and fixed by IT security staff last week, according to DR.
The Danish Agency for Digitisation (Digitaliseringsstyrelsen) told DR in a written comment that there was “regrettably an unintended implementation with an individual broker”. The issue has now been fixed, it said.
The issue follows an earlier problem with MitID identified by engineering journal Ingeniøren, which reported last month that a coding trick could enable hackers to easily identify the usernames of MitID users.
The Agency for Digitisation told DR users who have lost confidence in the system’s security can “confidently obtain and use MitID”.
The MitID digital ID system is gradually replacing NemID as the online ID used in Denmark for access to public service platforms, online banking and shopping online.
NemID will be turned off for secure platforms like banking and public services on October 31st. After this date, only MitID can be used to log on.
Other platforms, like online shopping, will still accept NemID for now. The old system will be fully decommissioned on June 30th, 2023.
READ ALSO: Concerns over Denmark’s MitID security after media finds vulnerability to ‘simple hack’
Member comments