Massive E-toll website security flaw

Your E-toll website PIN is visible to anyone with your username, a “security advisory” has warned

January 7, 2014
E-toll website

An unofficial security advisory issued by a hacker identifying themselves as “Moe1” has warned E-toll users that the PINs used to log into their E-toll website accounts can be easily obtained if their username is known.

This is due to a page on the South African National Roads Agency Limited (Sanral) website which can be exploited to expose the PIN of any registered E-toll website user.

The page is intended to be used as part of a standard two-stage account registration process, Moe1 explained, where the user would click on a link in an e-mail to confirm their account.

However, the page at the link contains a “serious security problem,” according to Moe1. It provides the user’s PIN on the confirmation screen.

Although displayed as asterisks (*), creating the impression that the PIN is obscured, the PIN is actually available in clear text in the source code of the web page. The source can be easily viewed from just about any browser.

In the security advisory, Moe1 provides a four-step guide to “hack an E-toll account in 5 seconds”, along with a proof of concept exploit and a video of the exploit in action:

According to Moe1, armed with just someone’s E-toll username a hacker could obtain all kinds of sensitive information from the Sanral website.

This includes ID numbers, vehicle license plate numbers, postal addresses, and payment methods.

“It is great that Sanral informs you to keep your pin safe in their ‘Terms and conditions’ but it’s not very great that they give out your pin to anyone that basically requests for it,” Moe1’s advisory concluded.

Sanral was asked for comment but did not respond by the time of publication.

Original Sanral E-toll website vulnerability thread

Big Cell C security flaw uncovered

My Vodacom security flaw exposes subscriber details

City of Joburg website “hacking” case update

Sanral public e-toll balance check removed

Sanral website exposing your e-toll bills a problem: lawyer

Tags: e-Toll, Headline, security exploit, South African National Roads Agency Limited (Sanral)

Anonymous News Tip
Free Email Newsletter:
Subscribe
X

Anonymous News Tip






Captcha image
Not readable? Change text.

sending

Shutterstock is the image partner of MyBroadband – technology images can be found here

Join the conversation

Connect with MyBB

twitterfacebookandroidappleblackberrynewsletterfeed

Poll

Are you using public WiFi hotspots to connect to the Internet in places like airports, restaurants or shopping malls?

View Results

Loading ... Loading ...

More News

MTN’s 79c per minute changes the game

MTN 79c

It’s notable that MTN’s gone from being attacked to the one doing the attacking

Single line of code that broke online security

OpenSSL

OpenSSL’s security loophole, dubbed Heartbleed, has revealed a fundamental truth about the internet: we should not take goodwill for granted

Sponsorship causes MTN tender investigation — report

MTN logo

MTN has considered a potential conflict of interest in extending a contract awarded to the company that manages its call centres, the Sunday Times reported

Black manufacturers will benefit from digital TV policy — DoC

Non-compliant DVB-T2 set-top box in South Africa

Spokesman for the department of communications, Siya Qoza, hits back at those critical of encrypted set-top boxes and his department

bool(true)