Language switcher

You are here

The Information System Authority (RIA) and its partners fixed a critical bug in the ID-card browser extension

At the end of January, RIA updated the ID-card browser extension (plugin) to fix a critical error discovered by researchers at the University of Tartu. The ID-software (ID-Updater) notifies users when software updates are required. If the software does not yet display an automatic update message, you can download the new version here.

In December, a partner agency of RIA reported a vulnerability in a browser plug-in, which is a program used to give a digital signature with an ID-card in an e-service in Chrome, FireFox, Safari, Internet Explorer Edge, and Edge Chromium browsers.
 
Criminals could have exploited the vulnerability of the plug-in if they either took over or had a website that offers the possibility of authentication with an ID-card. If a user had logged in with an ID-card to a portal controlled by a criminal, the criminal could have used the information of the authentication operation to log in to another e-service on behalf of the user without knowing it.
 
‘To RIA’s knowledge, the vulnerability has not been exploited and no user has suffered damage based on the information we have today. The security flaw has been fixed and users do not have to worry,’ said Mark Erlich, Head of the Electronic Identity Department of RIA. ‘The flaw was not one that criminals could just have stumbled upon, but it took effort to detect it, and for theoretical abuse, it would have been necessary to have control over a website where you can authenticate yourself with an ID-card,’ Erlich specified.
 
‘Unfortunately, it is quite common in the digital world that security vulnerabilities are discovered from time to time and then quickly fixed. No solution is secure on its own – it must be constantly updated and tested. ‘RIA, our partners in the public and private sectors, and researchers are constantly working to identify and fix security vulnerabilities in order to keep up with the new techniques of attackers,’ added Erlich.
 
According to him, the strength of e-government and good cooperation with the community is evidenced by the fact that the security of eID solutions is constantly monitored. ‘If a weakness is found, it is reported immediately. This way, the state can react immediately and eliminate the weakness. Many thanks to the partners and researchers who discovered and reported the vulnerability before it could be abused,’ said Erlich.
 
After upgrading the browser extension, some e-services will need to make their own changes. This means that until the e-service has introduced the latest updates, it will not be possible to log in with an ID-card. ‘To our knowledge, there are only few of such services. Thus, the impact on people’s online habits is small,’ said Erlich. Larger e-service providers have made the necessary updates today, and the use of the ID-card in these services has therefore not been disrupted.

 

Seiko Kuik
Press Officer of the Information System Authority
5851 7028
seiko.kuik [at] ria.ee

More news on the same subject

15.07.2021

Version 90 of the Firefox browser prevents using ID-cards on shared computers

15.7.2021 – The new version 90 of the Firefox browser was published on 13 July 2021. This version has issues in computers running the Windows operation system if several different ID-cards are used for logging into e-services.

14.07.2021

The new version of the ID card software will change the status of DDOC signatures

14.7.2021 – On 13th of July, the Information System Authority published the new 2021.06 ID software version which will add a warning about the validity of the signatures given to documents in the DDOC format.