The US General Services Administration, the agency responsible for awarding government security contracts and IT procurement, has just shut down its tendering website because it is insecure for contractors.
The shutdown has been reported in The New York Times, which says the agency was warned about its site’s vulnerability by a security contractor before Christmas.
The New York Times said the contractor had reported he could modify corporate and financial information submitted by other suppliers, which could have led to contracting fraud.
The contractor said the website could have been used for industrial espionage or bid tampering. The agency said it believed the flaw had not been exploited by intruders or by authorised users.
It is not known how long the site had been vulnerable. The agency introduced its eOffer website in May 2004 to allow companies to respond electronically to requests for proposals for computer services and products.
The site is now closed, with a message telling visitors, "The eOffer system is down for maintenance. Please pardon the inconvenience. Thank you."
The security flaws were discovered by Aaron Greenspan, president of Think Computer, an IT security firm based in Dallas. He had tried to register his company as a government contractor in December.
He discovered that he could call up documents at random and take over the accounts of other companies simply by entering a publicly available business identification number once he had validated his own account with the system.
"Theoretically, one could have started a bidding war between Boeing and Lockheed Martin, or Dell and Gateway, or changed the terms of their existing contracts," he told the newspaper.