An online interface set up for the Administrative Adjudication of Road Traffic Offences (Aarto) system exposed the personal information of every South African who received an infringement notice under the new law.
Personal data contained in the leak included full names, ID numbers, residential or business addresses, phone numbers, vehicle registration information, and infringement details.
An anonymous security researcher who is a regular user of the system informed MyBroadband about the data leak.
They did not wish to approach the Aarto system operator directly, because the researcher was concerned that the new Cybercrimes Act and Protection of Personal Information Act could be used to prosecute them, despite their good intentions.
The Aarto Act established new processes for handling traffic infringements in South Africa, including a demerit point system.
Pretoria’s High Court declared it unlawful and unconstitutional on Thursday, 13 January.
The researcher found that Aarto’s system for querying infringement notices — a RESTful API — did not require authentication.
RTIA uses this API on its own Aarto traffic fine website to show motorists their outstanding fines.
The API accepted infringement notice numbers as input and returned all the details of fines in plain text format. This included the nature of the offence, and the details of the vehicle’s owner.
If you know the web address of the API, it was trivial to try random infringement notice numbers against it and obtain the private information of South African motorists in the database.
The address of the API is not secret. Anyone using the Aarto website can find it if they know where to look.
While infringement notice numbers are sixteen digits long, the first eight digits represent the nature of the offence and notice.
An attacker with a basic knowledge of how these infringement numbers worked, therefore, only needed to write a program to guess the last eight digits of the number to obtain people’s personal information.
A redacted example of the output from the API is shown below. While this is an old infringement, notices up to December 2021 were also exposed.
MyBroadband contacted the State IT Agency (Sita) and Road Traffic Infringement Agency (RTIA) for comment.
Sita said that they do not render any support on Aarto systems.
RTIA is ultimately responsible for Aarto and acknowledged our notification and questions, and said they contacted their developers to look into the issue.
They also promised to contact their colleagues who oversee the integration of Aarto into the National Traffic Information System.
After our notification to the RTIA, the Aarto API and traffic fine portal were briefly taken offline.
However, both were back online within the space of a day.
MyBroadband followed up with the RTIA on Monday, 18 January, to press for a coordinated disclosure deadline.
Following our query, the API was secured. Trying to query the API now displays an “Unauthorised” message.
The security researcher who reported the issue checked the Aarto website and found that the API now uses cryptographic tokens to authorise requests.
Aarto’s developers appear to have made the change at 18h45 on Monday night.
Users can still check on their fines, but random unauthorised requests to the API are no longer possible.
MyBroadband contacted the RTIA for comment again on Tuesday, but it did not respond.
Update — 19 January: RTIA thanked the security researcher and MyBroadband for reporting the issue and apologised for its delay in responding. It confirmed that the developers secured the API over the weekend.