Aarto API exposed personal data

[Jan]

South Africa's new traffic fine system exposed personal data

An online interface set up for the Administrative Adjudication of Road Traffic Offences (Aarto) system exposed the personal information of every South African who received an infringement notice under the new law.

Personal data contained in the leak included full names, ID numbers, residential or business addresses, phone numbers, vehicle registration information, and infringement details.

 

[Nineteeneightysix]

Everytime I see something like this I'm reminded of that SAPS brigadier who said they weren't hacked because the website was still online. Forever etched in my mind.

https://www.wired.co.uk/article/south-africa-whistleblower-leak

On the same day, South African rolling news channel eCNA reported asking police spokesperson Phuti Setati about the breach. His response is a masterclass in unconvincing PR: "Our site is in order -- we have not been hacked. There's no such -- our website is operating normal, we don't have a problem with our website and they never experienced any problems."

 

[gregmcc]

The researcher found that Aarto’s system for querying infringement notices — a RESTful API — did not require authentication.

Jeez. You have to be kidding me!!

 

[mercurial]

.

 

[Y'all Qaeda]

Is MyBB gonna get sued like Magicdude4eva did way back when..

 

[Herr der Verboten]

Is MyBB gonna get sued like Magicdude4eva did way back when..

He was banned for taking mybb to task.

 

[Y'all Qaeda]

He was banned for taking mybb to task.

Yeah, but didn't the City of JHB sue him or threatened cause he highlighted a flaw in their systems too? IIRC it was that the URL was unauthenticated as well, so if you knew the URL or guess, you could view others statements. Or something like that.

 

[BBC]

How's your API?

 

[Herr der Verboten]

Yeah, but didn't the City of JHB sue him or threatened cause he highlighted a flaw in their systems too? IIRC it was that the URL was unauthenticated as well, so if you knew the URL or guess, you could view others statements. Or something like that.

and that. Locals called him a hacker but all he did was changed the query part of the get/post.

 

[grok]

Please protect me from yourself..

 

[Jam Sandwich]

View attachment 1228968
Please protect me from yourself..

This clown is always the first one that comes to mind when you hear about anything IT/Government related here...

 

[An3skmbi]

I've seen this type of issue on so many sites it's not even funny. The scary part is, if their API that is publicly accessible is (was) not secure, how does the rest of their systems look like? How long until a database is accessed and all the data leaked because it's not encrypted? Do they even know what POPI is and how to implement the regulations everyone else has to follow?

 

[RedViking]

Now all those people are going to get harassed and exploited by scammers.

Well done government.