SANRAL E-TOLL WEBSITE VULNERABILITY

[ActivateD]

Is any system from government safe

 

[KikzAzz]

What a surprise. NOT!

 

[eltherza]

The fact that the pin appears in the page means that the pin is being stored in plaintext in their DB in order for them to create the page. That is also concerning. Passwords should be stored as hashes.

I'm also wary of any password that is only 4 chars and digits only. Only 10000 combinations to brute force. That's not going to keep a determined hacker busy for long.

Why not allow a normal 30 character alphanumeric password?

Not necessarily, they could be encrypting it (with public key) and decrypting it (with private key) on the fly.

 

[Sinbad]

Not necessarily, they could be encrypting it (with public key) and decrypting it (with private key) on the fly.

OK and realistically?

 

[krepunk]

It doesn't seem to be working for all usernames... we have one guy in the office with an account who gave me his username to try and I get an invalid information message on the link provided.

 

[KillerX]

2nd security flaw found now and its quite an obvious one. That's what you get when you appoint a BEE company to do the work. 90% of the fee goes straight into the chiefs pocket, and 10% to the lowest bidding subcontractor.

 

[Necuno]

more on hashing and salting
https://crackstation.net/hashing-security.htm

 

[froot]

Not necessarily, they could be encrypting it (with public key) and decrypting it (with private key) on the fly.

Okay, and that would mean they need to store that private key in the database too... is that private key encrypted? If not, it's not secure. See where we're going with this? (It's better than a plain-text password, but still not good practice).

 

[koeksGHT]

more on hashing and salting
https://crackstation.net/hashing-security.htm

Even a basic MD5 is something......!!

2nd security flaw found now and its quite an obvious one. That's what you get when you appoint a BEE company to do the work. 90% of the fee goes straight into the chiefs pocket, and 10% to the lowest bidding subcontractor.

this is how it is exactly

 

[koeksGHT]

I can also guarantee users have used the SAME pin on SANRAL's site as their own cellphone/alarm system, get an address, details, plus alarm code. Criminals are jizzing

 

[eltherza]

OK and realistically?

I doubt they'd be doing that.

 

[eltherza]

Okay, and that would mean they need to store that private key in the database too... is that private key encrypted? If not, it's not secure. See where we're going with this? (It's better than a plain-text password, but still not good practice).

No, you dont store keys in the database. (Although, there are some cases you'd want a large set of keys stored in the database, you'd use a 'master key' to encrypt those keys)

The key would be located on the server, or installed within the application itself, with strict access permissions.

 

[Veroland]

Interesting, does it only work with accounts that are not verified?

My username does not work, I get "Invalid Information"

 

[Anthraxitus]

rofl

 

[Malasius]

what a joke, just so typical! LOL

 

[cybershark]

So is mybb going to be asked for IP's viewing this thread?

 

[zamedic]

Tried with a few verified users, they all give "Invalid Information". Guess this attack only works for non verified users?

 

[didodido]

In the last years, many companies have had security breaches, Apple, Linkedin etc. With these examples, you would have expected SANRAL to be more careful and not put a PIN code in plain text on a web-site.

Instead of putting money into fixing this issue it would be better for SANRAL to cancel the etoll system. It is bound to fail, the only question is when.

 

[system32]

Dear SCAMRAL, You have overdue e-toll exploit in the amount of R1,039.02 which have been handed over for correction to VPC.
Call 0800 SANRAL (726 725) Ref: 0800-F-U.

 

[Shake&Bake]

4 pages and no word from House?
:erm: