Post Office immediately disables API leaking ID documents after being alerted

Jan

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
14,790
Reaction score
13,438
Location
The Rabbit Hole
Post Office's online car licence disc renewal system potentially leaked ID documents

The South African Post Office's online licence disc renewal system had a significant data privacy flaw that could allow malicious actors to download signatures, ID copies, and proof of address documents.

MyBroadband alerted the Post Office to the vulnerability and, to its credit, it immediately disabled the feature that caused the issue while it finds a better way to implement it.
 
How in this day and age do you have a vulnerability like this? Amateur hour.
 
“The back-office work is done manually; essentially, the applicant uploads the documents that the law requires Sapo to provide — a certified identity document and proof of address not older than 3 months,” it said.
Click to expand...
The Post Office added that its staff have now gotten used to the system and are rapidly completing renewals.
Click to expand...
Same SAPO staff undoubtedly copying the uploaded files to flash drives and selling to syndicates using the info for identity theft.

Hopefully none of the SAPO employees have ever heard of the dark web before.
 
In a related question, why on earth should a person have to provide proof of address in order to renew a vehicle license anyway? When renewing in person at the post office they normally don't ask for proof of address within the past say 3 years that I can remember, but they did require it some years in the past.

In fact, I'm not sure that requiring an ID document makes any sense either?
 
Mawirepower said:
And I applied yesterday because of mybroadband's article!!
Click to expand...
Being lazy can have positive effects. I decided a snapshot of the disc information was too much of a walk down to the work parking area, hence I cancelled the online application.

Funny part is someone boasted in the previous thread about receiving free delivery, there might still be a price to pay?
 
Just look at postoffice.co.za and you can tell the quality of work your private data is being held by, no thanks
 
Solitude said:
How in this day and age do you have a vulnerability like this? Amateur hour.
Click to expand...
It's because security isn't for the most part automatic, so we see a lot of the same developer security mistakes since the early days of the internet. Each generation of devs needs to learn the same thing. The only way to avoid it is to hire properly* experienced developers to do reviews and guide the teams. These people are VERY expensive and it's a seller's market at the moment.

Some things have been made more difficult to F up. We see less SQL injection attacks now days because less experienced devs are guided towards using ORMs and database querying tools that use parameterized queries by default.

*Many devs have lots of years, but they haven't actually grown much, doing the same thing day in and day out for 15 years.
 
Blackhand said:
It's because security isn't for the most part automatic, so we see a lot of the same developer security mistakes since the early days of the internet. Each generation of devs needs to learn the same thing. The only way to avoid it is to hire properly* experienced developers to do reviews and guide the teams. These people are VERY expensive and it's a seller's market at the moment.

Some things have been made more difficult to F up. We see less SQL injection attacks now days because less experienced devs are guided towards using ORMs and database querying tools that use parameterized queries by default.

*Many devs have lots of years, but they haven't actually grown much, doing the same thing day in and day out for 15 years.
Click to expand...
Very much this. People don't grow or change. But that's what auditing and particularly security audits are for. And as a government department, they should have huge audit goals to hit. I've worked with a few government departments at this point, and it's a mixed bag for compliance. The groundwork is all there but how much they actually apply seems to be random chance.
 
Neptuner said:
Being lazy can have positive effects. I decided a snapshot of the disc information was too much of a walk down to the work parking area, hence I cancelled the online application.

Funny part is someone boasted in the previous thread about receiving free delivery, there might still be a price to pay?
Click to expand...
Hahaha I can confirm "free" delivery also. At least there is a price to my details!

Edit: It gets worse.... the 'postage address" was actually printed on the back of someone else's Enatis vehicle query (owner) A4 document. All the personal and vehicle information is there. "Recycling" gone bad!
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X