RIA fixes critical flaw in ID-card browser extensions

Information System Authority (RIA) logo.
Information System Authority (RIA) logo. Source: Nelli Pello/RIA

The Information System Authority (RIA) updated a browser extension of the ID-card at the end of January to eliminate a critical flaw detected with the help of scientists from the University of Tartu.

A partner institution in December informed RIA about a weakness in a browser plug-in, meaning a program that is used for giving a digital signature with the ID-card on the Chrome, Firefox, Safari, Internet Explorer Edge and Edge Chromium browsers, RIA said on Wednesday.

The weakness of the plug-in could be exploited by criminals who either had taken over or possessed a website that enables authentication by ID-card. When a user logs in to a portal controlled by a potential attacker using their ID-card, the attacker would have been able to use the information of the authentication procedure to log in to some other e-service as the user in question without the latter's knowledge.

"According to the information that RIA has, the weakness has never been exploited and no user has suffered damage, based on what we know at this point. The security flaw has been mended and users do not need to worry," Mark Erlich, head of the electronic identity department at RIA, said in a statement. 

"The weakness was not of the kind which criminals could have stumbled across accidentally, but efforts had to be made to discover it and, theoretically, for exploiting it one needed to have control over a website where people can identify themselves with the ID-card," Erlich said.

Erlich said that it is rather usual in the digital world that security flaws are discovered from time to time, which are then quickly eliminated. No solution remains safe just by itself, but needs to be updated and checked over all the time, he said. 

After updating the browser extension, some e-services need to make changes of their own, which means that as long as the e-service has not introduced fresh updates, logging in to it by means of ID-card will not be possible.

"To our knowledge, there are few such services. Hence the impact on people's internet habits is small," Erlich added.

Major providers of e-services have made necessary updates by now and there are no disruptions to the use of the ID-card with them.


Follow ERR News on Facebook and Twitter and never miss an update!

Editor: Helen Wright

Hea lugeja, näeme et kasutate vanemat brauseri versiooni või vähelevinud brauserit.

Parema ja terviklikuma kasutajakogemuse tagamiseks soovitame alla laadida uusim versioon mõnest meie toetatud brauserist: