The South African National Roads Agency SOC Ltd’s (Sanral) mobility account website has a flaw, where it won’t accept payments from cards with Card Verification Values (CVVs) starting with zero.

A MyBroadband reader informed us of the issue when trying to make a payment on the website, only to be told that their three-digit CVV, starting with zero, is too short and invalid.

“BAD DATA: CVV number too short,” the error message reads when using a CVV starting with zero.

It appears that the system doesn’t recognise zeroes at the beginning of CVV numbers. We tested it using a CVV that didn’t start with zero and paid without any issues.

MyBroadband asked Sanral if it was aware of the programming error and how long it would be before it was resolved, but the agency didn’t immediately respond to our query.

Sanral recently told MyBroadband that Sanral’s ICT division has assumed responsibility for managing and overseeing its mobile platform from the contractor who built and operated it.

“As part of our digital transformation agenda, we have initiated a structured programme to review the platform end-to-end — from analysis, design, and build, to core features and functions,” it said.

“This programme is already well underway and is expected to run over the next two months.”

It remains unclear whether the CVV issue was a result of the agency’s ICT division taking more responsibility for its IT infrastructure.

Sanral’s disclosure that it had assumed responsibility for its mobile platform came after a reader tipped us off about a severe vulnerability within the agency’s app.

The flaw enabled any individual to reset Sanral account passwords if they knew the registered email address.

The system did not require any two-factor authentication and simply let users change the password with just the account’s email address.

“If you have a user’s username and email, which, as far as I can tell, for most users, is just the email for both, you can reset their password and change it to whatever you want,” the user reporting the issue said.

MyBroadband investigated the security flaw and confirmed that the vulnerability existed in both the Android and iOS versions of the app. The vulnerability has since been patched.

“Thank you for reaching out and for bringing this to our attention,” Sanral told MyBroadband.

“At Sanral, the security of our customer information and the integrity of our digital platforms remain top priorities. We continuously monitor and test our systems to identify and address any vulnerabilities.”

Filling South Africa’s potholes

Through its integration with the Department of Transport’s Vala Zonke project, the Sanral smartphone app lets users report potholes on South Africa’s roads.

Pothole locations can be reported from within the Sanral app, which marks the location for the department’s teams to patch the hole.

However, it hasn’t made rapid progress. The dedicated Vala Zonke app launched in August 2022, and in its latest update, the department revealed that just 7,842 of the 46,693 potholes reported had been closed as of April 2024.

At the time, former transport minister Sindisiwe Chikunga said the figure was likely higher, as not all authorities were reporting back to the Vala Zonke War Room, or were doing so incorrectly.

She said the Vala Zonke War Room was working on a mechanism to reconcile blacktop patching with pothole repairs.

As of April 2024, the Vala Zonke Pothole Reporting app had accumulated 21,341 downloads since it launched.

In November 2023, Chikunga shared an update on the square meterage of potholes filled during the first half of the 2023/24 financial year, along with the associated costs.

The Vala Zonke Project had filled 1.3 million square metres of potholes during the period. Chikunga said KwaZulu-Natal had received the most attention regarding fixing potholes, adding that repair costs range from R700 to R1,500 per square metre.