A Web site used by vendors to register and bid on government contracts through the U.S. General Services Administration (GSA) was shut down Wednesday for repairs after one user reported security problems that allowed him to view and potentially change bids by other vendors.
The GSA’s eOffer/eMod Web site is used by vendors that want to do business with the government and enables them to electronically prepare and submit their applications. It was taken off-line to allow IT workers to repair the apparent flaw, said GSA spokeswoman Jennifer Millikin.
“When we were alerted, we took it down immediately,” she said. Technicians will work through the holiday weekend to fix the problems. The site is expected to be back in operation by the middle of next week, she said.
A message on the Web site Friday said, “The eOffer system is down for maintenance. Please pardon the inconvenience, thank you.”
The security problem was discovered Dec. 22 by Aaron Greenspan, president and CEO of Dallas-based Think Computer Inc., a one-man Web software development company that also does IT and security consulting. In an interview Friday, Greenspan said he found the security glitch accidentally when he tried to resubmit his application to become a government vendor. His initial application was rejected based on an incorrect price that he entered. His second application had an extra space in one line, but the Web site wouldn’t allow him to remove the space. He deleted the second application, corrected it, then uploaded it again to the GSA server as required.
On a hunch, he checked to see if he could still access the first aborted application and was surprised to find that it was still visible through the Web site. Further investigation found that he was able to access other applications from other vendors by modifying the unique ID number on his second application, he said.
Using a different ID number, Greenspan was able to see bid data, pricing, personal contact information, confidential financial data and more about other vendors. The information could also be downloaded and potentially changed before being uploaded back to the Web site, he said.
Greenspan prepared a six-page white paper detailing his findings.
“When it is my documents that are up there, and they’re giving other people potential access to them, that’s not OK,” Greenspan said. “I’m glad they shut down the site. That means they’re taking it seriously.”
He was, however, not happy that it took the agency more than 20 days to investigate his claims before shutting down the Web site. “I hope they put a bit more thought into it this time.”
The eOffer/eMod Web site uses digital authentication technology to ensure the integrity of data and to electronically sign the vendor’s proposal or modification request, according to the site. Digital certificates are required to use the Web site.
“GSA took immediate action to repair a glitch that compromises the integrity of a Web tool the agency provides to make it easy for customers to prepare and submit their electronic GSA Schedule offers and Schedule contract modifications,” Millikin said in an e-mail statement Friday. “Once informed, GSA immediately shut down the site and began taking corrective action. The agency also launched an intensive search to identify possible irregularities within the other electronic tools GSA provides to its customers.”
The GSA believes the problem was brought to the agency’s attention before it became a hazard to other users,” she said. “Security, of course, remains a priority issue with the agency. We have a rigorous certification and accreditation process to ensure management, operational and technical controls are adequately implemented on our systems. We conduct regular reviews of our information systems to mitigate newly discovered vulnerabilities and prevent misuse of our systems.”
Part of the delay in investigating the claims and taking the site down was that it was first brought to the attention of the GSA over the December holidays, while workers were on vacation, Millikin said.