The Swedish Board of Student Finance CSN is the government agency that manages
Swedish student finance, i.e. grants and loans for studies. They also manage
driving licence loans and home equipment loans.
This is the story of when I found two security vulnerabilities in their login
functionality and reported it to them.
Discussions with CSN how to report
Vulnerability report sent to CSN
Reception of report confirmed by CSN
Asked specifically about permission to perform a proof-of-concept
against myself (still no response)
Email from the Information Security Officer at CSN thanking me for the
report. They are working on mitigations for the two vulnerabilities.
Asked again for permission to perform a proof-of-concept. I also asked
if they think the mitigations will be finished before the planned
publication the 4th of November. Still no response.
90 days have passed since CSN received the vulnerability report. The
original plan was to publish this post this day but I procrastinated
CSN start two days of My Pages maintenance over the weekend. The
vulnerabilities seem to be unsolved.
A preview of this blog post was sent to all people mentioned in it for
review (including CSN)
CSN take down the vulnerable page for maintenance right before the
Publication of this post at 17:06 CET
Catching My Attention
I’m member of a Swedish speaking Facebook group around IT security called
with 6800 members. One post by the group member Shadi Domat the 4th of August
2020 was regarding CSN’s use of a four-digit PIN as one way of logging in
(link to the
for members of the group).
At the time I had worked almost three months as an IT security consultant at
Defensify where I focus on performing security
assessments of companies’ web applications. I was on vacation and decided to
take a quick look at CSN’s PIN login functionality. Every user in their system
has a four-digit PIN that is printed in various mails from them. It’s used to
log in to one’s My Pages on the web and to use Interactive Voice Response
(IVR) via phone.
Being a former Swedish university student myself I have an account and also an
active loan. It didn’t take long until I suspected a possibility to perform a
brute-force attack on anybody’s account.
The login by PIN form looks as follows. One enters one’s personal identity
number, which is like a social security number but public, as username.
If one enters the wrong PIN a warning is displayed saying the account will
become locked after five attempts and one has to order a new PIN:
And after five incorrect attempts the error message looks like this:
So now the account is locked and all further PIN guesses will fail, but one can
order a new PIN. Here is the form for that:
As you can see one enters one’s personal identity number and solves a numeric
CAPTCHA. The next step pictured below is to choose the delivery method for the
new PIN. There are one to three options available depending on what contact
information CSN has stored. Delivery by snail mail is always possible, and
delivery by text message (SMS) and/or email is available if CSN has one’s
mobile phone number and email address respectively.
After selecting the delivery method a confirmation page is displayed. Here is
the confirmation after selecing email as method:
So, that’s the whole PIN login flow. At this moment the first time I tried the
whole flow, I immediately suspected that there was a way to use brute force to
login to anybody’s account – there’s less than 10,000 possible PINs after all
(some are blocklisted, like 1234). I got that feeling based on a mistake I had
previously seen in a customer engagement at Defensify. If you don’t already
suspect something they might have done wrong, please pause here and think for a
One of the vulnerabilities is that it’s possible to guess PINs unlimited number
of times. One has to reset the PIN (order a new one) after five attempts, but
there seems to be no limit in
the number of times that can be done. The fact that the PIN changes doesn’t
affect the probability to guess the correct one. Given that the new PIN is
assigned randomly and that one guesses randomly, the probability to guess the
PIN right is p ≈ 5 / 10000 ≈ 0.05% for every new PIN. On average (to have at
least a 50% chance) one needs to reset the PIN
times and make in total 1386 * 5 = 6930 login attempts before finding the
One problem with performing that many login attempts and PIN resets is that it
must be automated because almost nobody has the patience to do that manually.
But a CAPTCHA must be solved every time one wants to reset the PIN. Or must it?
The other vulnerability is in the CAPTCHA requirement as that rhetorical
question suggests. Step one described above is to fill in one’s personal
identity number and to solve a CAPTCHA. The next and last step is to choose a
delivery method for the PIN. Submitting that second form successfully generates
a new PIN and sends it via the chosen media. The vulnerability lies in that the
last step can be repeated any number of times without solving a new CAPTCHA. So
an attacker just needs to solve one CAPTCHA per victim.
Here is the HTTP request that can be repeated indefinitely to generate new
The idea was to write a simple Python script to automate the above attack
method as a proof of concept, but I thought sending thousands of requests to
CSN’s servers could be considered an attack of their infrastructure and be
illegal so I decided to ask for permission to attack myself first. CSN never
responded to that request, however, so no script is developed.
Reporting The Vulnerabilities
It was quite hard to find the right way to contact CSN to report the
vulnerabilities. The best way on their website was a form for general
questions, but I decided to make an Internet search instead to speed up the
process of reaching somebody in charge of security. I searched for
site:csn.se and information security responsible (but in Swedish). I got a
few hits in published PDF documents where I could find a name. I didn’t know
if the person was still the responsible person so I checked their LinkedIn
profile where they stated that they is the information security responsible
at CSN. I decided to send an email to the address on the format
email@example.com and also to firstname.lastname@example.org. I got a bounce
message saying that the security email address did not exist.
I quickly got in touch with a person who wants to stay anonymous who agreed on
a way of encrypted communications. Either the information security responsible
was on vacation and that person had access to their mailbox or the responsible
silently forwarded my initial email. After I sent my report the anonymous
person quickly acknowledged the reception of it.
After that nobody communicated with me for a long time and I never got
permission to build a proof of concept script to verify that my attack scenario
would work. After one and a half month the information security responsible,
who was the recipient of my initial email to CSN, reached out thanking me for
the report and told me that CSN were working on mitigations. I again asked for
permission to do a proof of concept but never got a reply.
Recommendations to CSN
The following recommendations were sent to CSN along with the vulnerability
descriptions the 6th of August 2020. Some complement each other and some are
Restrict how many times or how often a new PIN code can be ordered. It seems
unlikely that a user would need to order a new PIN more than once per day.
Make it mandatory to solve a new CAPTCHA every time a new PIN code is ordered
so that it becomes harder to automate attacks
Investigate logs to see if others have found the same vulnerabilities and used
them to login to anybody’s account. If so, inform affected users.
Discuss with the DPO (Data Protection Officer) of CSN whether an incident
report to the Swedish Data Protection Authority
Define alerts in the monitoring systems to detect intrusion attempts like the
ones described above
Check whether an attacker can request hundreds or thousands of physical
letters with new PIN codes sent to a victim - either as a joke or just to
waste CSN’s money
Add a possibility for users to disable login via PIN
Automatically disable PIN logins when a user logs in via the electronic
citizen solution BankID the next time (creds to
group member Magnus Danielson for that
Publish a Vulnerability Disclosure
on www.csn.se to inform visitors how to get in touch with the right people
in case of suspected security problems
Friday the 13th of November 2020, while working on this blog post, I noticed
that CSN had done some changes to the login by PIN functionality. They have
moved the solving of the CAPTCHA to step two, which I suspect is done in
response to my findings. That is not an improvement security wise however since
it’s still possible to repeat the second request (including the solution to the
CAPTCHA) many times. I successfully generated 20 emails with new PINs to myself
within one minute.
The new flow for ordering a new PIN follows.
Here is the new HTTP request that can be repeated indefinitely to generate new
On the same day as, but prior to, the publication of this post CSN decide to
take down the vulnerable order personal code page for maintenance. Either
they took the decision entirely on their own after I notified them about my
planned time for publication or the fact that I contacted the Swedish
CERT during the day influenced their decision.
I recommend organizations to publish a security.txt
file with a communication channel for vulnerability
reports, accompanied with a vulnerabilty disclosure policy (VDP), and to
cooperate with security researchers reporting vulnerabilities to avoid
misunderstandings, confirm the vulnerability and let the researcher verify