An expert in the IT industry, Arman Abdrasilov, has found so-called bugs (vulnerabilities) in the mobile application Egov Mobile.
As the expert reported on his Telegram channel "Abdrasilov's Blog", in the Egov Mobile application, government services can be accessed using Face ID (facial recognition). However, according to him, when providing services via Face ID, the application does not compare the recipient's face with the Ministry of Justice database, but instead checks against a local facial database - Know Your Client (KYC).
"Egov Mobile trusts KYC from a third-party service. <…> In my iPhone settings, in the Face ID section, there is an 'Alternate Appearance' menu. If you add any other person's face there, they will not only be able to receive government services on my behalf, but also sign documents via the QR signing service through Egov Mobile.", the statement reads.
To confirm this, Abdrasilov submitted a vulnerability report to the platform from TSARKA - Bug Bounty.
"This is now official bug No. 3052, and you can track when and how it will be fixed. It will also be interesting to see if there will be claims or rejections regarding already signed documents, as there is no proof of legitimacy of signing on the eGov side.", the expert writes.
At the same time, he spoke about existing problems when obtaining a Digital Signature (DSC) in a Public Service Centre (PSC). According to him, biometrics are used to confirm the identity of the service recipient.
"The Face ID system here is from a different provider. This solution, unlike Egov Mobile, checks against the Ministry of Justice database, but ... does not perform a liveness check (anti-fraud technology). That is, it is enough to show a photo or video of a person on the camera, for example, from social networks, and the PSC operator gains access to any personal account.", the statement reads.
Furthermore, the expert noted that moderator rights in the Mobile Citizens Database (MCD) also belong to the PSC operator. Incidentally, this database contains citizens' mobile numbers for passing the second security factor and gaining access to a personal account.
"To register any person in any apartment, operators can change the mobile numbers of the apartment owner and the person being registered in the database to their own, and then via SMS or personal account, give permission for the government service. After the procedure, they revert to the old phone numbers.", writes Abdrasilov.