Security14.04.2022

Bad system design exposes South African private security body’s incredibly weak passwords

Fidelity Services Group armed guard with riot shield

South Africa’s private security regulator potentially exposed system administrators’ names, email addresses, cellphone numbers, and passwords through a newly-launched online platform.

An attacker could have used these credentials to gain access to the Private Security Industry Regulatory Authority (PSiRA) client data or manipulate information in the system.

Fortunately, there is no evidence that a malicious actor exploited the vulnerability.

The data was being exposed through a public, web-based application programming interface (API) accessible without a username and password.

It was possible to query one API endpoint and receive a single XML file with all the personal details and passwords of every administrative user in the system.

Administrator user passwords included “123456789”, “admin123”, “Password@1”, and “Password1234@”.

MyBroadband contacted PSiRA after being informed about the vulnerability.

To the industry regulator’s credit, it immediately disabled the unsecured API leaking the data.

It also quickly negotiated a coordinated disclosure deadline when we sent a follow-up query.

PSiRA business and information systems senior manager Hofney Moepi explained that they launched their revamped online platform on 3 February 2022.

The regulator put it out to tender on 14 August 2020, with eleven companies responding by the deadline on 18 September 2020.

PTPi — People Technology Processes Integrated Pty (Ltd) — won with a bid of R7,728,000.

PSiRA head office

Towards the end of February, PSiRA conducted a vulnerability assessment on the new system with a third-party company.

“There were no major or critical vulnerabilities identified,” Moepi said.

The assessment detected a few minor issues that PSiRA started fixing, when a software developer who asked to remain anonymous alerted MyBroadband to the vulnerability.

Moepi said it seemed as though the issue crept in when PTPi added features that PSiRA requested after the vulnerability assessment was concluded.

“Our preliminary investigation identified that information exposed was that of PSiRA administration credentials and not that of our clients,” Moepi stated.

“Upon being informed, credential passwords for all employees were changed.”

Asked why passwords were in the API at all, and why the developers hadn’t hashed them, Moepi said that these were mistakes that had been rectified.

The API has also been locked down. Users must now authenticate to use it.

“Authorised API users have access to the records in the system. However, such access is limited based on their roles,” said Moepi.

MyBroadband contacted PTPi for comment, and it did not respond by the time of publication.


Now read: A cellphone shop easily bypassed Google’s factory reset protection — for R300

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter