The South African Post Office’s online licence disc renewal system had a significant data privacy flaw that could allow malicious actors to download signatures, ID copies, and proof of address documents.

MyBroadband alerted the Post Office to the vulnerability and, to its credit, it immediately disabled the feature that caused the issue while it finds a better way to implement it.

The South Africa Post Office (Sapo) told MyBroadband that the issue relates to a feature that lets its customers view their signature and ID upload if they want to amend it.

“We have removed the functionality temporarily in order for us to review a better way of doing it,” it said.

“This means in the interim customers will not be able to view the signature or ID that they uploaded.”

A MyBroadband reader alerted us to the vulnerability on Thursday, 8 September 2022. They asked to remain anonymous.

“If you know a person’s ID number, you can download that person’s signature, ID document and proof of address from the sapomvl.co.za website without logging in and without knowing the person’s username or password,” the reader said.

If exploited, the flaw would have allowed malicious actors to pull customers’ digital signatures, copies of their IDs, and proof of address, provided they knew the person’s ID number.

Obtaining a customer’s digital signature was relatively simple.

This required sending a GET request, which could be done by entering the URL in your browser containing the customer’s ID and the correct file extension.

Pulling ID copies and proofs of address was more complex and involved sending a POST request to a specific URL.

Pulling these documents also requires the customer’s ID number and the correct file extension. The file extension depends on the format in which the user uploaded their documentation, such as PDF, JPG, or PNG.

It should be noted that the response from the POST request is base64 encoded, meaning it has to be decoded before you can access the raw file.

A MyBroadband staff member who had previously used the service confirmed the vulnerability using Postman before raising the alarm to the Post Office.

They managed to pull their digital signature, ID copy, and proof of address in a matter of minutes.

The vulnerability exists because the system’s application programming interface (API) is unauthenticated. Sapo could resolve it by requiring that users submit credentials with their requests.

MyBroadband recently tested Sapo’s online licence disc renewal service with impressive results.

A staff member submitted their renewal application on Tuesday, 30 August 2022, and their new licence disc was delivered to our offices on Friday the same week.

We asked Sapo how its online renewal platform had performed since launching in January 2022, and it said it had processed 46,000 licence disc renewals through the system as of 5 September 2022.

“The renewals initially stabilised at around 6,500 per month and are gradually growing with just over 7,200 renewals in August 2022,” Sapo told MyBroadband.

The Post Office acknowledged that it had experienced some challenges with the system after it launched.

“The back-office work is done manually; essentially, the applicant uploads the documents that the law requires Sapo to provide — a certified identity document and proof of address not older than 3 months,” it said.

“At the beginning, customers often uploaded expired or uncertified documents.”

The Post Office added that its staff have now gotten used to the system and are rapidly completing renewals.