South African DigiTech “app store” uses R925 website template
The South African government’s DigiTech platform runs on extremely outdated software and was built using a $59 (R925) template for Drupal, an open-source content management system.
Communications minister Khumbudzo Nthsavheni launched DigiTech on 17 May 2022, billing it as an app store that showcases South African talent.
“DigiTech serves as a digital distribution service developed, maintained, and operated by the South African government,” the minister stated.
“The platform allows users to browse and download apps developed across operating systems.”
DigiTech uses an ancient Drupal template called Hasta that is for sale on the Envato Market.
A security researcher who spoke to MyBroadband on condition of anonymity found that DigiTech runs on Drupal 7.31, released in 2014.
The developers have tagged this old release as “insecure”.
In addition, the webserver runs PHP 5.36 — an old version of the server-side web programming language that hasn’t been supported since 2014.
DigiTech’s developer set the site up to allow anyone to register an account and upload a “digital product”, complete with images and video links.
Users had to provide ID numbers and other personal data to upload their products. However, the system did not appear to perform any validation to ensure people weren’t using fake or stolen identities.
The DigiTech website does not have a TLS certificate, so users had to send personal data over an unencrypted channel.
User-created digital products were automatically pulled through to the marketplace section of the DigiTech website, which was nothing more than a grid of photos and videos.
South Africans quickly learned how to exploit the poorly-designed system and created listings pointing to videos such as Rick Astley’s hit Never Gonna Give You Up.
There were also politically-themed videos, including one featuring the topic of nepotism.
Mercifully, the exploitation of the system was limited to Rickrolling, social commentary, and quiet protests.
The security researcher told MyBroadband that the listing’s description allowed arbitrary HTML, which attackers could have used for cross-site scripting (XSS).
This code would have been fired when a listing was clicked, potentially executing attacks against visitors’ computers or infecting them with malware.
The researcher also confirmed a Business Insider report that the DigiTech site leaked the ID numbers and other private data early legitimate users may have provided.
This vulnerability was a simple enumeration flaw that allowed any logged-in user to see the personal details of other users.
Since registration was free, anyone could access this information if they wanted to.
The DigiTech site has since been locked down and cleaned up. It is no longer possible to register, and existing user accounts appear to have been disabled.
MyBroadband contacted the Department of Communications and Digital Technologies for comment, but it did not respond by the time of publication.