Language switcher

You are here

The Information System Authority (RIA) and its partners fixed a critical bug in the ID-card browser extension

At the end of January, RIA updated the ID-card browser extension (plugin) to fix a critical error discovered by researchers at the University of Tartu. The ID-software (ID-Updater) notifies users when software updates are required. If the software does not yet display an automatic update message, you can download the new version from the website ».

In December, a partner agency of RIA reported a vulnerability in a browser plug-in, which is a program used to give a digital signature with an ID-card in an e-service in Chrome, FireFox, Safari, Internet Explorer Edge, and Edge Chromium browsers.

Criminals could have exploited the vulnerability of the plug-in if they either took over or had a website that offers the possibility of authentication with an ID-card. If a user had logged in with an ID-card to a portal controlled by a criminal, the criminal could have used the information of the authentication operation to log in to another e-service on behalf of the user without knowing it.

‘To RIA’s knowledge, the vulnerability has not been exploited and no user has suffered damage based on the information we have today. The security flaw has been fixed and users do not have to worry,’ said Mark Erlich, Head of the Electronic Identity Department of RIA. ‘The flaw was not one that criminals could just have stumbled upon, but it took effort to detect it, and for theoretical abuse, it would have been necessary to have control over a website where you can authenticate yourself with an ID-card,’ Erlich specified.

‘Unfortunately, it is quite common in the digital world that security vulnerabilities are discovered from time to time and then quickly fixed. No solution is secure on its own – it must be constantly updated and tested. ‘RIA, our partners in the public and private sectors, and researchers are constantly working to identify and fix security vulnerabilities in order to keep up with the new techniques of attackers,’ added Erlich.

According to him, the strength of e-government and good cooperation with the community is evidenced by the fact that the security of eID solutions is constantly monitored. ‘If a weakness is found, it is reported immediately. This way, the state can react immediately and eliminate the weakness. Many thanks to the partners and researchers who discovered and reported the vulnerability before it could be abused,’ said Erlich.

After upgrading the browser extension, some e-services will need to make their own changes. This means that until the e-service has introduced the latest updates, it will not be possible to log in with an ID-card. ‘To our knowledge, there are only few of such services. Thus, the impact on people’s online habits is small,’ said Erlich. Larger e-service providers have made the necessary updates today, and the use of the ID-card in these services has therefore not been disrupted.

Seiko Kuik
Press Officer of the Information System Authority
5851 7028

More news on the same subject


RIA: Increased Frequency of Cyber Attacks against media companies

Estonian Information System Authority prepared a summary of the cyber attacks against Estonian media portals based on information communicated to them. Compared to the last two years, the number of cyber attacks has increased


RIA updated the ID-software

20.07.2022 - The Information System Authority (RIA) launched the updated version of the ID-software (2022.6) on 20 July. The most significant update is the end of support for Windows 32-bit operating systems.