MyBroadband was recently informed of a potential security flaw on the Gauteng Department of Education’s admissions portal.
The website facilitates online applications for admission of learner to public schools for grades 1-8.
Through the website, parents or guardians can apply online for their child to be admitted into selected public schools in Gauteng.
Once they have completed the application form, parents can then monitor their application through the portal after logging in with their user name and password.
These credentials are provided to users once they register an account and submit an application.
Potential security problem
A potential security issue was reported to MyBroadband by a concerned user who used the admissions portal.
To monitor their applications, users are provided with a URL directing them to a page on the website – from which they can monitor their application after logging in.
After logging in and viewing their application, however, the user reported that they could change the application number at the end of the URL to view other applicants’ details.
By changing the application number at the end of the URL in their web browser, the user could see the following details of other applicants”
- School name
- Learner’s full name
- Parent/Guardian’s full name
- Learner’s ID number
- Parent/Guardian’s ID number
- Distance from school in km
This potential security issue could be due to a failure to properly secure each application against access by other registered users, making all applications accessible to any applicant logged in to the system.
Gauteng Department of Education
MyBroadband contacted the Gauteng Department of Education, alerting them to the potential issue and asking for feedback on the matter.
The department confirmed it had received notification of the problem. Despite multiple follow-ups, however, it did not provide feedback.