How I could have been the administrator for all Dutch companies and create invoices. And still can be…

Hallo, my name is Bob van der Staak. I am an ethical hacker and security enthusiast. I performed this security research in personal time and personal capacity. A few months ago on LinkedIn I came across a post which mentioned a celebration: a new government website had aired that day.

From the bug bounty / hacker’s perspective a new website can always contain some low hanging fruits. So, I was eager to check the website and there I noticed that there was a registration button.

However, instead of an account it requested you to enter the name of your company. The extra data would be retrieved from the Dutch KVK Business Register. After entering a company, (which I do not own personally). I was prompted to create an account for that company. It indicated that I would be the first contact person within “my” company. and that with this account I would later be able to add extra persons.

I finished the account creation and received an automatic email from the Dutch government. It gave me a link to activate my account for the given company. I was amazed. I would have expected verification that I was really the owner that company.

I decided to go further and after activation I could login and was the administrator, debtor administrator and order manager for that company!

This could easily be scripted with Burp suite to make me the administrator for all Dutch company’s which didn’t have an account yet! because the website was only life for a few hours the chance of being the first was huge!

With this account I came across pages which indicated I would be able to write new invoices in the name of that company. I can even add my own bank account to the system. A bit like ‘impersonating company identity’.

Besides the possibility for me to make invoices in the name of a company that I do not own, there was also the effect that the legitimate owner would be shut out. The owner will not be able to create an account for his or her own company. They would receive a message indicating that the company was already registered and that they should contact the administrator of the portal. However, I was that administrator, and the message did not disclose my information. So, the owner must request the helpdesk of the government, which could result in lots of work for the government agency.

I reported this issue immediately to NCSC to there coordinated responsible disclosure program. To get this to the right party and get it validated and resolved.

Approximately 2 months later I receive the message that the party responsible for the software does not see this as a security issue. Therefor this issue will not be resolved.

I sent another message to party responsible, to make sure we were discussing the same issue about ‘impersonating company identity’. They indicated that we were and, the company involved reasoned that in the future they will use “eHerkenning” and that there are some control mechanisms in place to make sure no ghost invoices could be send.

However, I still see this as a vulnerability, although it isn’t a fancy RCE or something else difficult to exploit. For me it shows once again, that sometimes it can just be easy and obvious, so that everyone could be able exploit it.

Sadly, I am not allowed to distribute the name of the respected party or disclose the domain name. As part of this write up agreement with NCSC. However, if you are an owner of a specific Dutch company and want to register your company, please feel free to contact me.

I want to thank NCSC for there always kind support in these responsible disclosure processes.