SANRAL E-TOLL WEBSITE VULNERABILITY

A potential difference from a legal - if not technical - point of view however is that you are furnishing the system with a username: potentially providing knowingly fraudulent credentials

quite a bit more information is needed to establish exactly what is happening and it isn't clear to me (as a result of my own stupidity more than anything else) whether you are authenticating on the user name or are simply feeding it as information in a push query

- - basically it is the difference between asking a bank teller for information about an account and telling the bank teller that you are a particular person and want to know about your account
 
DJ... said:
Would like to understand this properly. My reading of the information is that one needs to know the username of an existing e-toll user, then pretend to register your own account, but on the confirmation page, simply add the other user's username, and you'll be sent their PIN code. Is this correct?
Click to expand...
Yes. So you'd still need to know the username. Crucially though you can assume that the username won't be difficult to come by. e.g. As a simplistic example, take this forum...I've not taken any steps to hide the fact that my username is HX...since I'm relying on the PIN/password as security.

edit...since the email is jason bourne too we can assume that the attacker created the account. I very much doubt that the number plate shown is his own, so one might not need to know the username after all. i.e. create your own and link it to an arbitrary plate.

To me this is all academic though - the main take away point is that SANRAL's security shares certain characteristics with a colander.
 
Last edited:
HavocXphere said:
Yes. So you'd still need to know the username. Crucially though you can assume that the username won't be difficult to come by. e.g. As a simplistic example, take this forum...I've not taken any steps to hide the fact that my username is HX...since I'm relying on the PIN/password as security.
Click to expand...

To target individuals yeah you would need username, otherwise a name dictionary bruteforce will be sufficient to pull most user details.

This thread is a Nigerian gold pot

Dropped Thuli a line

Dear Complainant/Customer



Kindly be advised that your complaint has been received and acknowledged.

Please be assured that your enquiry is receiving the necessary attention it deserves. Should you wish to speak to one of our consultant, kindly contact 0800 112040.

Your association with this office is much appreciated.

Regards

Customer Services
Click to expand...
 
Last edited:
The fact that the pin appears in the page means that the pin is being stored in plaintext in their DB in order for them to create the page. That is also concerning. Passwords should be stored as hashes.

I'm also wary of any password that is only 4 chars and digits only. Only 10000 combinations to brute force. That's not going to keep a determined hacker busy for long.

Why not allow a normal 30 character alphanumeric password?
 
Wouldn't it be great if someone hacks the Sanral system and brings it down! Will be a day of celebration!
 
ambo said:
The fact that the pin appears in the page means that the pin is being stored in plaintext in their DB in order for them to create the page. That is also concerning. Passwords should be stored as hashes.

I'm also wary of any password that is only 4 chars and digits only. Only 10000 combinations to brute force. That's not going to keep a determined hacker busy for long.

Why not allow a normal 30 character alphanumeric password?
Click to expand...

heh - if the pin is stored in clear text, i wonder if credit card details are too? :P
 
The mentioned exploit really just scratches the surface of the Sanral implementation. People close to the actual implementation will know that (similar to CoJ) the IT project team had absolutely no IT governance, auditing, quality assurance, penetration testing, PCI compliance testing (they will say it's not necessary as a 3rd party processes it, but you will be surprised what happens to your financial details), data quality and integrity, monitoring and reporting.

Sanral and every municipality in this country would fail a simple PCI DSS assessment, would never be able to pass ITIL or COBIT and as such it's very obvious that plenty of such vulnerabilities will be exposed. CoJ for example has made it worse for everyone - honest people finding those issues, will nowadays, just ignore them (or worse, place them on PasteBin for others to exploit).

Anonymous announced a coordinated attack against Sanral already in 2012 (http://www.unseenworld.co.za/easyblog/entry/hacker-group-anonymous-declares-war-on-sanral.html) and I am pretty certain that all of their systems have been compromised without anyone being aware of it.
 
MagicDude4Eva said:
The mentioned exploit really just scratches the surface of the Sanral implementation. People close to the actual implementation will know that (similar to CoJ) the IT project team had absolutely no IT governance, auditing, quality assurance, penetration testing, PCI compliance testing (they will say it's not necessary as a 3rd party processes it, but you will be surprised what happens to your financial details), data quality and integrity, monitoring and reporting.

Sanral and every municipality in this country would fail a simple PCI DSS assessment, would never be able to pass ITIL or COBIT and as such it's very obvious that plenty of such vulnerabilities will be exposed. CoJ for example has made it worse for everyone - honest people finding those issues, will nowadays, just ignore them (or worse, place them on PasteBin for others to exploit).

Anonymous announced a coordinated attack against Sanral already in 2012 (http://www.unseenworld.co.za/easyblog/entry/hacker-group-anonymous-declares-war-on-sanral.html) and I am pretty certain that all of their systems have been compromised without anyone being aware of it.
Click to expand...

If you dare question you will be labelled a "hecker" and prosecuted - oh wait, you already have been...

I have no doubt that their website has long been compromised without them even knowing.
 
AfricanTech said:
If you dare question you will be labelled a "hecker" and prosecuted - oh wait, you already have been...

I have no doubt that their website has long been compromised without them even knowing.
Click to expand...

Yeah - hoping to get feedback from SAPS/prosecutor this week or next or who-knows-when (been chasing them since October - must be tons of evidence to investigate)
 
Paul Hjul said:
A potential difference from a legal - if not technical - point of view however is that you are furnishing the system with a username: potentially providing knowingly fraudulent credentials

quite a bit more information is needed to establish exactly what is happening and it isn't clear to me (as a result of my own stupidity more than anything else) whether you are authenticating on the user name or are simply feeding it as information in a push query

- - basically it is the difference between asking a bank teller for information about an account and telling the bank teller that you are a particular person and want to know about your account
Click to expand...

Their verification email link is as follows:
http.://www.sanral.co.za/e-toll/portal/PreRegisterAccountValidate.aspx?UserName=jasonbourne

So they are using the username as the identifier to provide you with your pin. Normally this would be some sort of GUID or some other unique key to identify you that is hard to generate. Also once an account has been verified you should no longer be able to use the verification link.
 
Last edited:
Beachless said:
Their verification email link is as follows:
http://www.sanral.co.za/e-toll/portal/PreRegisterAccountValidate.aspx?UserName=jasonbourne

So they are using the username as the identifier to provide you with your pin. Normally this would be some sort of GUID or some other unique key to identify you that is hard to generate. Also once an account has been verified you should no longer be able to use the verification link.
Click to expand...

Or you would normally encode the parameters you pass in a URL so that it's at least not completely plain-text.
 
Beachless said:
Their verification email link is as follows:
http.://www.sanral.co.za/e-toll/portal/PreRegisterAccountValidate.aspx?UserName=jasonbourne

So they are using the username as the identifier to provide you with your pin. Normally this would be some sort of GUID or some other unique key to identify you that is hard to generate. Also once an account has been verified you should no longer be able to use the verification link.
Click to expand...

Dear Sanral - if you read this and are busy trying to find the hackers - perhaps go back to the drawing board first (for your IT newbs - read this as an intro: http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html). It is quite shameful how multi-billion Rand projects are implemented with a complete lack of expertise in how to handle user credentials and a simple registration- and activation process.

TBH: Anyone involved in Sanral's IT implementation should be embarrassed how this project has been implemented. I think not a single best practise was followed and similar to many other government projects, the wheels will come off in a few months with the system completely collapsing.
 
MagicDude4Eva said:
TBH: Anyone involved in Sanral's should be embarrassed how this project has been implemented. I think not a single best practise was followed and similar to many other government projects, the wheels will come off in a few months with the system completely collapsing.
Click to expand...
FTFY :)
 
And House is as quiet as a farm longdrop at three in the morning when the flies are sleeping... :wtf:
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X