Security flaws in online recruiting system for Sixty60 delivery drivers
An online application system to become a Checkers Sixty60 driver contained a security vulnerability that allowed users to view the personal information of other applicants.
Sixty60’s drivers work for Pingo Delivery, a 50-50 joint venture between Shoprite and RTT Logistics.
A concerned tech-savvy MyBroadband reader who was curious about the Sixty60 driver registration process discovered poorly configured recruitment website with significant security vulnerabilities called drive4pingo.co.za.
Shoprite told MyBroadband that the website was run by a third-party recruitment service provider.
“Within just 10 minutes, it became clear that there were serious data security issues,” the reader said.
“I discovered a publicly accessible Django instance with debug mode enabled, along with hardcoded authentication credentials within the JavaScript.”
“The web application was poorly configured and built with no apparent consideration for web security standards.”
“This misconfiguration exposes sensitive application settings, internal information, and personal data.”
The personal data he was able to view included the full names, phones numbers, dates of birth, email addresses, physical address, and ID, passport or permit numbers of applicants.
In addition, they could see the applicants’ selfies, clothing and shoe sizes, and copies of their motorcycle licences and ID documents.
The reader shared redacted records of the online applications submitted on the platform.
The information included 243 pages consisting of 15 applications each, working out to 3,645 application sets.
Quick reaction from RTT
The reader said he initially contacted Pingo to report the problem but did not receive a response.
After getting in touch with RTT’s chief technology Rudi Keet, the information was forwarded to the relevant people within Pingo.
The reader recommended that the application website be taken offline immediately and that the Django debug mode on the production server be disabled.
They also advised Pingo to remove the hardcoded credentials from the client-side JavaScript, secure them properly, and ensure that they are changed.
Shortly after reporting the vulnerability, the application portal was offline.
Attempting to visit the website at the time of publication presented a “This site can’t be reached” error.
Contacted for comment, Shoprite confirmed that a concerned citizen made Pingo aware of the potential vulnerability on Friday, 25 October.
“The website was taken down immediately,” Shoprite said.
“Pingo will support the third-party service provider with any information as required by the Information Regulator.”
RTT and Pingo did not provide feedback by the time of publication.
Pingo under scrutiny
Shoprite is currently in discussions to acquire RTT’s stake in Pingo after the Competition Commission approved a takeover of the highly successful platform in September 2024.
This is not the first time Pingo’s treatment of Sixty60 drivers has drawn scrutiny.
There have been mounting concerns about the conditions under which Sixty60 drivers are acquired to work.
Recently, a Sixty60 driver contacted MyBroadband and described the platform’s controversial hiring and firing rotation process.
According to the driver, Pingo periodically activated and deactivated drivers’ accounts based on driver oversupply and order demand.
Due to this approach, drivers who were randomly blocked would be unable to earn income on certain days.
The cycle allegedly ended with about 15 drivers being dismissed by Pingo, something which would happen twice a year.
Shoprite said that it only blocked drivers if they violated their service contract.
Pingo was also accused of increasing shifts from nine hours to more than 12 hours per day.
Rejecting an order would result in a driver being blocked from the app.
Drivers earn about R7,600 per month before deductions for the motorcycle rental and fuel expenditure, which leaves them with about R2,800 in net monthly earnings.
After Pingo scrapped a minimum daily earning fee of R350, drivers went on strike.
When the driver went to address the issue with a person from Pingo’s head office, their motorcycle was loaded onto a truck, and they were blocked from the app.
Pingo did not provide feedback to the driver on why their account had been blocked and motorcycle confiscated. It also never responded to MyBroadband’s query about the issue.
The driver also alleged that they and a fellow driver made up half of the South Africans in a 30-driver team who had taken issue with the scrapping of the minimum earning fee.
That seems to support previous allegations by popular South African Twitter/X account Goolam, who suggested that over 99% of Pingo’s drivers were foreign nationals.