Researchers Find Security Vulnerability in Germany’s eID Cards
Researchers from German security firm SEC Consult said that they have identified a vulnerability in the backbone of the government’s electronic ID (eID) cards system. The bug allows an attacker to trick an online website and spoof the identity of another German citizen when using the eID authentication option.
The flaw lies in a component called Governikus Autent SDK, which is used to add support for eID logins and registration on a lot of websites and government portals. The attack was demonstrated by the researchers in a YouTube video.
Although difficult to exploit, the researchers say that the attack is entirely possible. However, SEC Consult says the attack does not work against all websites that use eID authentication, particularly those that have implemented “pseudonyms” that do not return actual user data with each authentication requests.