In the previous post, we looked at eHouwiya's poor login form design, this time we'll look at an infuriating bug in the CNSS login form. For the foreigners, CNSS is Tunisia's social security fund.

I contacted CNSS via email on April 15 about this very bug, they have yet to respond, so I took it upon myself to use my personal blog as a bug tracker for the government.

I know I'm desperate, you don't have to tell me that.

Preface

I hate long lines, and I especially hate taking time from work to wait in long lines for services which have long been digitized.

There's a local CNSS office close to where I live which is open on Saturdays. I entered the office thinking I'd make my quarterly social security payment but it turns out they don't accept payments on Saturdays. Great.

I haven't been able to login for close to five months now, so I've missed the last payment, and that means I'll have to pay a little extra because of late payment charges. Great.

During those five months, I kept a close eye on their authentication form, logging in every week to see how things were evolving. The bug which I'm about to show you was previously much worse than it currently is.

Logging in

Getting past eHouwiya's login form is already a chore, but the moment I authenticate, CNSS redirects me back to the login form, as if it had refreshed the page.

Looking at the address bar, I can clearly a new code query parameter with a plausible looking value that the backend generates to identify my session:

https://tns.cnss.tn/TnsNet/pages/Authentification.xhtml?code=dL***c6

I've got my session cookie, so what's wrong?

Well, OAuth2 is actually straightforward about what should happen when the user successfully authenticates:

After a user successfully authorizes an application, the authorization server will redirect the user back to the application. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations.

Redirection

What CNSS is doing is actually the opposite, instead of redirecting me to the next page (where I would proceed to give them my money), they redirect me back to the authentication page.

Here's the payload of what they send to eHouwiya's authentication endpoint:

response_type code
client_id ***
scope openid phone identity birthdate id_social email
redirect_uri https://tns.cnss.tn/TnsNet/pages/Authentification.xhtml
code_challenge_method S256
code_challenge ***

Do you see it?

redirect_uri points to the same page I use to login. Argh! That explains it.

Well, seeing as I'm authenticated, I tried guessing the name of the payment page. I gave up after my fifth attempt.

This story, much like the one before it, ends in frustration. You do not get a happy ending.