Sixty60 driver application system taken offline due to security vulnerabilities

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
13,731
Reaction score
11,500
Location
The Rabbit Hole
Security flaws in Sixty60 driver system

The online application system to become a Checkers Sixty60 driver contained a security vulnerability that allowed users to view the personal information of other applicants.

Sixty60's drivers are recruited by Pingo Delivery, a 50-50 joint venture between Shoprite and RTT Logistics.
 
They also advised Pingo to remove the hardcoded credentials from the client-side JavaScript, secure them properly, and ensure that they are changed.

I've met some "top" local developers at places like Microsoft who made this mistake - constantly. They did not know how to encrypt credentials in their environment files - publicly displayed it at seminars and complained when people were stealing their Azure credit.

I.D.I.O.T.S

A Nedbank developer bragged about how he wrote an encryption for the Nedbank shop app customer data and also published the decryption tool online - for everyone to use, no special keys needed.
 
I've met some "top" local developers at places like Microsoft who made this mistake - constantly. They did not know how to encrypt credentials in their environment files - publicly displayed it at seminars and complained when people were stealing their Azure credit.

I.D.I.O.T.S

A Nedbank developer bragged about how he wrote an encryption for the Nedbank shop app customer data and also published the decryption tool online - for everyone to use, no special keys needed.
Developers aren't known for being all that security conscious in general.

I've seen some downright stupid stuff done by devs who look at you blankly when you tell them they can't deploy that into production.
 
Developers aren't known for being all that security conscious in general.

I've seen some downright stupid stuff done by devs who look at you blankly when you tell them they can't deploy that into production.
Which is why there is just automated systems scanning for /.env - it is clearly successful...
 
Bottom line is the developer have no idea what they are doing but will never be held accountable for the loses they cause others to suffer.
 
Apparently it is still working in Zim, Ethiopia and Nigeria. Only the SA applications that are offline.
 
Everything has security flaws in this country, it is nothing unusual.

But this article is more concerned with and about the 60/60 drivers.

Seems they are heavy on someone's agenda.
 
Top
Sign up to the MyBroadband newsletter