Visa applications obtained by, details redacted.
Visa applications obtained by, details redacted.

An investigation was able to access the editable Schengen visa application forms of three totally random people, some FOUR DAYS after operating company VFS Global said a vulnerability had been fixed and the system was now secure.

Visit the VFS Global website and it not only celebrates having handled 100 million visa applications but also boasts of being the world's largest outsourcing and technology services specialist for governments and diplomatic missions worldwide. It specialises in "visa and passport issuance-related administrative and non-judgemental tasks" for client governments, of which there are 45 around the world. What you won't find any mention of is what appear to be systemic failures when it comes to security.

A vulnerability which first hit the media courtesy of contributor and veteran security journalist Davey Winder back in 2007, and led to an independent enquiry ordered by the UK Foreign Secretary, has re-emerged last week some eight years on.

According to the European Commission "the border-free Schengen Area cannot function efficiently without a common visa policy which facilitates the entry of legal visitors into the EU, while strengthening internal security" and that is delivered by way of the so-called Schengen Visas that are given for up to three months at a time. So it came as something of a surprise to discover that the company responsible for the administration of these visa applications could potentially be putting that internal security at risk at least as far as one part of that system was concerned.

The Guardian briefly reported how part of the Schengen Visa application system suffered a 'technical glitch' which allowed users to access the applications of complete strangers (also reported by SCMagazine). Actually, that technical glitch was more of a security vulnerability; this was the same vulnerability that VFS Global was first made very aware of back in 2007. The company issued a fix, but as an SC MagazineUK investigation can exclusively reveal, this fix was also easily bypassed allowing random application forms to be accessed by using the same basic vulnerability.

We first became aware of the latest security failure in the visa application system when was approached by Alexey Utkin, head of financial practice at technology consultancy DataArt UK. Utkin pointed us in the direction of the Guardian story which broke over the weekend, and was concerned that the promised fix had not been properly implemented. Unaware at the time that he was talking to the journalist responsible for breaking the original story back in 2007, Utkin thought we would find the simplicity of the vulnerability unbelievable. He was right, but equally unbelievable was the fact that a system responsible for taking Schengen Visa applications for Italy visa applications submitted in UK could remain so fundamentally broken on the security front as we soon discovered.

"On Wednesday night last week I was trying to access my family Italian visa application forms to print those out before our appointment and realised VFS Global had released a new online visa application system since I originally filled in the forms and hadn't migrated the data, so I had to fill all three applications again" Utkin told SC, continuing "while fighting with numerous glitches trying to do this, I realised that the new visa system doesn't secure applications data at all. In its system only the application reference number was required to get access to the application data, and reference numbers were sequential – allowing any user to get anyone else's data."

This immediately rang alarm bells with Winder who recalled his earlier investigation and the words of the UK government investigation report by Linda Costelloe Baker which stated "VFS did not appear to have had a formal security function, and thus an effective security procedure to cover software development and testing. VFS and UKvisas agree that no third party penetration tests were carried out in the development phase of the online system or after it was launched. This is a serious and very basic failing."