Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21,
ntact Tracing Solution 2/9/21, 22:12
Technical Review of Pasig's Contact
Tracing Solution
Dec 07, 2020
On October 8, 2020, the City Government of Pasig launched its 'PasigPass'
contact tracing solution. The PasigPass can be access by anyone online by
visiting https://pasigpass.pasigcity.gov.ph/.
As of November 28, 2020, there are 452,662 individuals and 1,157
establishments registered and using the contact tracing solution.
Source: https://www.facebook.com/VicoSotto/posts/3647660351959283
In the past few months, we've heard a lot about contact tracing apps in the
https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 1 of 16
country that may threaten the security and privacy of its users.
On this blog, I will be discussing my feedback or review for PasigPass.
Security Headers
Weakness Type: CWE-693: Protection Mechanism Failure
Figure 1: Grade of PasigPass for Security Headers
Security headers provide another layer of security by helping the application
in preventing potential security vulnerabilities. Using an online grading tool,
the web application of PasigPass is graded as F which means they don't
have the necessary security headers.
X-Frame-Options prevent attacks like clickjacking by telling the
browser whether the web app wants to be framed or not.
Referrer-Policy prevent attacks like reset password token leakage by
setting a referrer policy that control how much information the browser
includes with navigations away from the site.
Content Security Policy prevent attacks like Cross-Site Scripting
(XSS) by whitelisting sources of approved content.
https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 2 of 16
Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12

Implementing this security headers is a must for a website that collect or

process personal information. It is also one of the common best practices.

Sign Up: Information Collection

https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 3 of 16 https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 4 of 16

Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12

Figure 3: Password Requirement

The password field on its sign up page clearly display the requirement for the
account's password. For me, I don't recommend setting '6' characters as the
minimum number of characters as password.

The National Privacy Commission (NPC) recommends at least 12 characters

long.

Figure 2: Signup Form of PasigPass

The sign up form is only asking for necessary details such as Full Name,
Birthdate, Home Address, Email, and Mobile Numbers which are vital for
contact tracing.

Sign Up: Password Requirement

Figure 4: Tip #1 from NPC's 30 Ways to Love Yourself Online. https://www.privacy.gov.ph/30-ways/
Weakness Type: CWE-521: Weak Password Requirements
Email Security

Weakness Type: CWE-345: Insufficient Verification of Data Authenticity

Figure 5: Missing SPF Record

https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 5 of 16 https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 6 of 16

Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12

When it comes to email security, organizations must provide an SPF Record

on its DNS to prevent the potential Email Spoofing attacks. Using an online
tool, it shows that pasigcity.gov.ph, the main domain, doesn't have an SPF
Record.

To demonstrate the vulnerability, I used an online fake emailer and sent a

fake email to my email address. Here is the result that I received on my email.

https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 7 of 16 https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 8 of 16

Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12

Figure 6: Demonstration of Fake Email from pasigpass@pasigcity.gov.ph

The pasigcity.gov.ph is using Google Mail as their primary mail server. So to

remediate this vulnerability, they only need to add an SPF record to their
DNS with the following value:

v=spf1 include:_spf.google.com -all

Autocomplete

https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 9 of 16 https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 10 of 16

Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12

image above.

The first thing I noticed was the note included on the email. I was like WOW!
The reset password link validity is so strict or short. The common
recommended validity that I always encounter is at least 24 hours but for
PasigPass it's only for 5 minutes which is not a problem (I actually like it).

Additionally, the reset password link is like this:

https://pasigpass.pasigcity.gov.ph/User/ResetPassword?session=a8278db7-504d-44b9-95e7

Figure 7: Source of Username and Password field with autocomplete set to off
They use UUID instead of random characters that could possible be guessed
The username and password fields, even the fields in the signup forms does or bruteforced.
contain an attribute called autocomplete and currently set to off. If the
attribute is missing or enabled, then credentials entered by the user are Software Version
stored on their local computer and retrieved by the browser on future visits
to the same application. Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
This is very important since some users are sharing devices or renting/using X-Powered-By: ASP.NET
computers in some internet cafe.

When you requested the website of PasigPass, the following data above will
Reset Password Validity
be returned as part of the response headers.

Both the Microsoft IIS server and ASP Net MVC are up to date!

Web Application Firewall

Weakness Type: CWE-693: Protection Mechanism Failure

Figure 8: Reset Password Email from PasigPass

When I requested to reset my password, I've received the email shown in the

https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 11 of 16 https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 12 of 16

Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12

Figure 10. Source code of Login Form

Figure 9: Result of WAF Checker
Web Application Firewall typically protects web applications from attacks
such as cross-site forgery (CSRF), cross-site-scripting (XSS), file inclusion,
and SQL injection, among others.
By deploying or implementing a WAF in front of a web application, a shield is
placed between the Internet and web application.
By default, a form with missing method attribute will use GET as the primary
method. The problem of using the GET method is that the data such as
username and password will be transmitted as part of the URL.
Sensitive information within URLs may be logged in various locations such
as:
- web server logs (via referrer);
- browser's history;
- and potentially, search engines (cached by Google)

Right now, I haven't detected a WAF installed to PasigPass. Privacy Statement

Password can be submitted using GET What they have:

Weakness Type: CWE-598: Use of GET Method With Sensitive Query Service description
Strings Personal information that are collected
Purpose of collected information

https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 13 of 16 https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 14 of 16

Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12 Technical Review of Pasig's Contact Tracing Solution 2/9/21, 22:12

Third Party transfer/disclosure December 4, 2020 9:16pm - I sent my final email and informed them
Retention Period that I will publish this blog post.
Data Subject Rights

What are missing: That is all for now!

Method and Timing of Collection

How do you collect information?
When do you collect information?
Storage and transmission of information
How do you store and transmit information?
How do you protect stored personal data?
How do you protect personal data in transit?
DPO Contact Information
How can data subjects reach out to you regarding data privacy?

So far, Pasig's PasigPass application is the most okay contact tracing

solution in the country right now. Well, I haven't tried performing a thorough
testing yet (unless they give me permission) so I have no idea yet if there are
other potential vulnerabilities in the application. There might be some if we
perform targeted testing based on the features of the application, libraries
used, and etc.

To everyone, please validate the email coming from @pasig.gov.ph to avoid

getting tricked by scammers or cybercriminals.

Timeline

November 30, 2020 12:48am - Email sent to info@pasigcity.gov.ph and

Mayor Vico's email address.
December 2, 2020 10:02am - I emailed to request for updates.
https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 15 of 16 https://atom.hackstreetboys.ph/review-of-pasigpass/ Page 16 of 16