AGOV PenTest & Bug Bounty Overview 2023–2025

Timeline of AGOV PenTests

2023 (report dated 24.01.2024): PenTest I

• Focus: Comprehensive assessment of the AGOV core systems, including Account Management (me.agov.admin.ch), Identity Provider (idp.agov.admin.ch), and Authentication Service (auth.agov.admin.ch). The test was conducted as a partial white-box test.

February 2024: PenTest II

• Focus: This phase focused on the “HeloITSM” system.

May 2024: PenTest III (Part 1)

• Focus: Assessment of the AGOV Counter component during calendar weeks 19 and 20.

June 2024: Planned PenTest III (Part 2)

• Details: Originally planned for AGOV Connect and IdP re-tests. However, these tests could not be executed as planned and were postponed to PenTest IV.

September – October 2024: PenTest IV

• Focus: Assessment of the Trust Broker (BTB/STB) as well as the AGOV modules Connect, View, Access App, and Nevis IDM.

April – May 2025: Iteration #1

• Focus: AGOV account recovery processes (SMS, OBL, video) from April 28 to May 2.

October 2025: Iteration #2

• Focus: e-ID login workflows and integration, including the Verifier Management Service and OID4VP (OpenID for Verifiable Presentations).

Findings per PenTest

PenTest I (2023)

A total of 12 vulnerabilities were identified:

• Address Information Disclosure (High): Exposure of address data via API responses.
• Address Verification Rate Limiting (High): Missing rate limiting for address verification.
• Potential Race Conditions (Medium): Multiple endpoints without locking mechanisms.
• Address Verification Design (Medium): Design flaws in the verification process.
• Token Verbosity (Medium): Tokens contain more information than required by the resource provider.
• Insecure Cryptography (Medium): Use of weak encryption (AES-ECB) for security tokens.
• Vulnerable JS Library (Medium): Use of an outdated jQuery version (3.3.1) with known vulnerabilities.
• Cookie Security (Medium): Various weaknesses in cookie protection.
• Strict-Transport-Security Header (Medium): Missing or misconfigured HSTS headers.
• Email Changing Race Condition (Low): Possibility to change multiple accounts to the same email address simultaneously.
• Address Verification Ignored Field (Low): A non-validated field could be used to redirect mail.
• Content Security Policy (Low): Suboptimally configured CSP headers on subdomains.

PenTest III Part 1 (AGOV Counter, May 2024)

• Findings: No findings were recorded for the AGOV Counter component during this phase.

PenTest 2025 Iteration #1 (Account Recovery Process)

• SMS Recovery Code Mass Attack (High): Attackers could trigger SMS codes at scale, leading to financial damage and resource exhaustion.
• Recovery Code Letter (OBL) Mass Attack (High): Abuse of the system to send physical letters in bulk.

PenTest 2025 Iteration #2 (e-ID Flows, October 2025)

Five findings were identified:

• Verifier Management service publicly accessible (Medium): The service should only be accessible internally.
• AGOV Account Takeover (High/Info): An attacker could link a self-created e-ID with a victim’s AHV number (tested in the beta environment).
• Verifier APIs improper input validation (Low): APIs do not strictly validate field values.
• Swagger enabled (Info): Enabled Swagger UI facilitates reconnaissance for attackers.
• Non-sanitized values accepted from e-ID (Info): Data from the e-ID is accepted without sanitization.

AGOV Bug Bounty Overview 2023–2025

Security researchers can participate in AGOV Bug Bounty programs. BugBounty Switzerland is the platform partner for the operational implementation of the programs. NCSC supports the implementation in an advisory role.

Table with the criticality recognized by the AGOV (eIAM) Security Team and a short description (based on the vulnerability type) for all findings from both Bug Bounty programs:

Private Bug Bounty Programm (eIAM & AGOV)

Public Bug Bounty Programm (AGOV)