The South African National Roads Agency (Sanral) has patched a vulnerability in its smartphone app, which allowed anyone to reset an account password if they knew the email address.

The vulnerability was present in both the Android and iOS apps, allowing anyone to reset an account’s password with just the registered email address and without requiring two-factor authentication.

MyBroadband investigated the issue after receiving a tip-off from a reader and was able to reset a staff member’s Sanral password with just their email address.

“If you have a user’s username and email, which, as far as I can tell, for most users, is just the email for both, you can reset their password and change it to whatever you want,” the user reporting the issue said.

MyBroadband contacted Sanral to inform them of the vulnerability and arrange a coordinated disclosure. “Thank you for reaching out and for bringing this to our attention,” Sanral said.

“At Sanral, the security of our customer information and the integrity of our digital platforms remain top priorities. We continuously monitor and test our systems to identify and address any vulnerabilities.”

It added that Sanral’s ICT division recently assumed responsibility for managing and overseeing the mobile platform from the contractor who built it and operated it on the agency’s behalf.

“As part of our digital transformation agenda, we have initiated a structured programme to review the platform end-to-end — from analysis, design and build, to core features and functions,” it said.

“This programme is already well underway and is expected to run over the next two months.”

Sanral did not respond to our request to arrange a coordinated disclosure deadline. However, the vulnerability appears to have been addressed.

The system now requires users to enter a one-time PIN sent to their registered email address before processing a password reset.

Tackling South Africa’s pothole crisis

The Sanral smartphone app offers pothole reporting functionality through its integration with the Department of Transport’s Vala Zonke project.

Motorists can report potholes from within the Sanral app, which will mark the location for the department’s teams to patch the hole.

However, progress has been slow. The dedicated Vala Zonke app launched in August 2022, and the department’s teams had closed just 7,842 of the nearly 46,693 reported potholes as of April 2024.

Former transport minister Sindisiwe Chikunga said at the time that the potholes closed was likely higher, as not all authorities reported back to the Vala Zonke War Room, or did so in the wrong format.

She said the Vala Zonke War Room was working on a mechanism to reconcile blacktop patching with pothole repairs.

Chikunga also said the Vala Zonke Pothole Reporting app had accumulated 21,341 downloads since its launch.

Previously, in November 2024, Chikunga revealed the total area of potholes that had been filled during the first half of the 2023/24 financial year, as well as the associated costs.

She said government had filled roughly 1.3 million square metres of potholes during the period, with KwaZulu-Natal receiving the most attention. She said fixing potholes costs R700 to R1,500 per square meter.