Last month, MyBroadband reported a potential security flaw on the Gauteng Department of Education’s admissions portal, which facilitates online applications for learners.
Parents and guardians could apply through the website for their Grade 1-8 child to be admitted into selected public schools in Gauteng.
These application forms were stored in the Department’s database, and applicants could monitor their application through the portal by logging in with their username and password.
Registered users could view information of other applicants, however, simply by changing the ID number at the end of the URL for their application.
There was no additional security check when navigating to other URLs and by logging in once, every applicant essentially had access to all other applications filed on the system.
Upon being notified of the potential vulnerability, MyBroadband immediately contacted the Gauteng Department of Education and alerted them to the issue.
The Department confirmed receipt of our notification, but did not provide comment or feedback for an extended period of time.
There has since been no communication from the Department and it did not disclose whether the vulnerability had been fixed.
MyBroadband was initially alerted to the problem by a 10dot Cloud Security representative who discovered the vulnerability and attempted to follow up with the Department with no success.
10dot told MyBroadband that the issue on the admissions portal website has since been fixed, which would have involved changing the website development code.
The company added that this security flaw was likely the result of poor security design principles.
“We would suspect poor User Acceptance Testing (UAT) at the website development phase, and a poor understanding of security design principles to follow in website design,” 10dot said.
10dot said that while the issue has been fixed, there are other steps which the website admin should implement to ensure security.
“We would recommend that the web admin also employs a web application firewall (WAF) from a reputable vendor, and possibly look at incorporating a valid SSL certificate,” the company said.
Tips for government
MyBroadband asked 10dot what steps government departments can take to improve the security of their official websites and databases.
10dot advised that government departments follow the following basic guidelines to ensure their online platforms are secure:
- Incorporate SSL on all websites.
- Ensure proper UAT is conducted at the development and even design phase.
- Incorporate best practice in terms of secure software design for all website development.
- Host the website with a reputable hosting provider.
- Use firewalls and web application firewalls to protect the perimeter.
The company also suggested that government departments outsource the security management for their websites and online platforms to reputable companies, removing the likelihood of security vulnerabilities appearing over time due to bad maintenance.