A flaw in the Department of Home Affairs website has exposed the details of people attempting to contact the department.
A MyBroadband reader contacted us regarding the issue, after he said several attempts by him to contact the department and alert them to the matter failed.
He found that on the website’s Ask Us page, users were required to complete a form to lodge a query with Home Affairs.
The form requires users to input the following details:
- First name
- Last name
- ID or case number
- Cellphone number
- Detailed query
It also requires users to complete a reCaptcha form before submitting their details, which at the time of writing was displaying the following error message:
reCAPTCHA V1 IS SHUTDOWN
Direct site owners to g.co/recaptcha/upgrade
However, on these occasions the form was already completed with the details of a previous user – allowing anyone to view their name, ID/case number, cellphone number, and the nature of their query.
MyBroadband managed to replicate this issue multiple times, and each time we were presented with the personal details of a person’s query submission.
A redacted screenshot of the form information exposed due to this issue is shown below.
It is unclear how many users were exposed in this manner, and if the reCaptcha issue was the cause of the data leak.
Home Affairs – No comment
MyBroadband reached out to the Department of Home Affairs for comment on the matter, but it did not respond.
Update – The Ask Us web page on the Home Affairs website has been taken offline following the publication of MyBroadband’s report.