Thousands of South African teachers exposed by flaw in website for marking matric exams
A vulnerability in a website used by the Gauteng Department of Education (GDE) for teachers to apply for marking positions exposed educators’ private documents to the public Internet.
The flaw was patched following MyBroadband’s enquiries into the matter, after the issue was brought to the attention of the service provider.
Last week, MyBroadband was made aware of an issue on Paymarker, a website that teachers in Gauteng must use to register to become markers for matric examinations and tests.
The person who informed us of the flaw and potential data leakage indicated that they had registered on the platform, which asked educators to upload a set of private documents.
This included an ID or passport, a certification from the South African Council for Educators (SACE), their tertiary qualifications, academic records, and a motivation letter.
They found that the URL on the site that carries the uploaded documents effectively renames uploaded objects with predictable file names that use sequential numbers.
This caused an insecure direct object reference, a common access control flaw which allowed anyone on the platform to access anyone else’s files.
MyBroadband was shown that teachers’ private documents could easily be accessed once an attacker knew the base URL, simply by changing the object reference number.
The informant said they were able to set up a probe and managed to download 35,000 files belonging to educators who had registered on the platform.
They eventually stopped the probe and said they deleted all the files on their local machine to preserve the rights of those who were subject to the exposure.
MyBroadband contacted the Gauteng Department of Education, the Information Regulator and the company behind Paymarker, Lebone Litho, a division of Lebone Media.
Keith Michael, CEO of Lebone Media, responded to our query and said an internal investigation was launched immediately after our correspondence.
Michael said that Lebone’s cybersecurity teams were also engaged to conduct a comprehensive audit trail analysis and technical review.
“This process will allow us to determine the nature and extent of the reported vulnerability, assess whether any unauthorised access has occurred,” he said.
“It can also help us identify the source through which this issue may have been introduced or exposed.”
Media company responds to private data exposure claims
Michael said that the company was aware of “what appears to be a deliberate effort by a competitor to bring Lebone Litho Printers into disrepute and undermine our reputation.”
He said there was an effort to circulate misleading and potentially damaging information, but the company remained committed to treating every security report objectively.
The investigation currently underway will determine the root cause, timeline, and circumstances surrounding the reported issue, said Michael.
He added that the company could not speculate about details until the technical review was complete. “It would be premature to speculate on the origins or duration of the vulnerability,” he said.
We enquired whether the vulnerability could expose other private data stored on the platform, such as learners’ matric papers in Gauteng.
“At this stage, there is no evidence before us suggesting that other secure systems or repositories have been compromised,” he said.
“Except to say, there are people hell-bent on sabotaging our company.”
The company’s cybersecurity team was focusing on assessing system segregation, access controls, and potential pathways through which the vulnerability could have been exploited.
Michael said that, should the investigation determine that notification was required due to a breach of POPIA, it would act in accordance with legal and regulatory obligations.
“Protecting personal information is a priority,” he said.
The Gauteng Department of Education did not provide answers to our queries before the time of publication. We will update this article when more information is received from the department.
South Africa’s Information Regulator told MyBroadband that it had not been contacted about the potential data exposure.
It said it would seek further information about the situation if it deemed necessary. “The Regulator has not yet determined an approach,” it said.
“Since this matter was brought to its attention, it will consider looking into the matter, as it may have unlawful implications on the processing of personal information of data subjects.”
Paymarker vulnerability patched
Lebone confirmed to MyBroadband that no data breach had occurred, and that the security team found no bulk downloads of the exposed data.
“The issue has been resolved, so no documents can be viewed. Our team is still busy with a full investigation into the matter and is reviewing all audit logs,” it said.
Accordingly, the Paymarker website no longer allows users to update or check their files. Instead, users receive an error message which indicates that an access error has occurred.
This meant users would be unable to access or update their private documents uploaded to the website to begin the registration process.
The error message also revealed the path to the blocked default folder and additional internal information about the server.
This included specific technical details about the server the company uses for the website and its infrastructure provider.
A threat actor could potentially exploit these details, and it would be better for Paymarker to use a more generic error message with less detail.
However, the patch blocked all file access permissions to the affected folder, preventing the data from being viewed or accessed without authorisation.
Loading ...