Security researcher Nik Cubrilovic found gaping holes in the myGov website more than a year ago. Credit:Andrew Meares It is understood some of the flaws have been patched since the government was informed of them on May 2. How long the vulnerabilities have been in place is unknown, although the site has existed in various forms since 2009. Mr Cubrilovic demonstrated how he was able to hijack this writer's myGov account and access, if linked, Tax Office, Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and National Disability Insurance Scheme information. There is no suggestion a hacker exploited the vulnerabilities deemed "basic" and well-known for malicious purposes by security experts, although Mr Cubrilovic believes he probably wasn't the first to discover them on the site. To have information stolen, Mr Cubrilovic said a myGov user wouldn't even have to click on a bad link. Instead they would just need to visit a website containing malicious code designed to extract specific information when visiting myGov. One such way this code could be inserted is via third-party advertisements appearing on Australian news websites, as occurred with SBS and the Herald Sun in 2011.

Some of the information accessible via my.gov.au when linking it to Medicare. "If you were to score this [myGov] site out of 10 in terms of security it would be, like, zero or barely half a point," Mr Cubrilovic, of Wollongong, said. "You could get into anybody's account just by sending them a link either directly to the myGov website or to another website that … runs the exploit code," he said. E-health records, including prescription drugs, are also accessible using my.gov.au. After reporting the vulnerabilities to the Australian government's chief technology officer John Sheridan, the issues were forwarded to the Department of Human Services, which manages the myGov website.

On May 7, chief information security officer at the department, Colin McLean, responded to Mr Cubrilovic's report without directly acknowledging the issues, which frustrated the researcher. The letter also appeared dismissive of the findings, saying that data was "in very safe hands" - a line issued when other security issues with myGov were raised earlier this month. Child immunisation records are accessible too. If you were to score this [myGov] site out of 10 in terms of security it would be, like, zero or barely half a point. Security researcher Nik Cubrilovic Other IT security experts have backed Mr Cubrilovic's findings. "The simplicity and the range of the vulnerabilities doesn’t give me any confidence that the data is in safe hands," Sydney software architect and IT security consultant Troy Hunt said.

Centrelink payments are also made available via my.gov.au. "The fact that Nik was able to demonstrate a basic attack that could allow an attacker to access the victim’s account simply by them [visiting a site] is evidence that the data is anything but 'safe'." After seeing the letter provided to Mr Cubrilovic about the issues, Mr Hunt labelled it an "appalling response" because it didn't address any of the findings made. "The department’s response didn’t acknowledge any of these risks and by instead claiming that the data was 'in very safe hands' demonstrates that they don’t understand the severity of Nik’s findings…," Mr Hunt said. Ty Miller, director of Sydney IT security firm Threat Intelligence, agreed the data wasn't safe.

"This basically proves that the data has not sufficiently been protected," he said. "Each of the vulnerabilities identified should have been picked up by appropriate security testing. In particular, cross-site scripting is the most common vulnerability that we find during penetration tests." "Most of these vulnerabilities shouldn’t have even been there in the first place," Mr Hunt added. "That the programmers were not aware of such fundamental security constructs is very worrying and certainly they should have been detected by security professionals." "The class of the vulnerabilities ... are such that they are very basic and elementary," Mr Cubrilovic said. "I found them within a few minutes and anybody who is a security analyst who would have spent mere minutes on the website would have found the same bugs. "It's a very serious issue. You've got millions of people who have their lives in terms of their Medicare, potentially their future tax records available online to anybody to be able to access."