The E-toll website once again let anyone view the so-called 7-day “grace period” outstanding balance of any vehicle, provided you had its license plate number.
A concerned reader recently contacted MyBroadband, saying that they were able to query the E-toll website of the South African National Roads Agency Limited (Sanral) without providing a legitimate ID number or validation code to its system that lets unregistered users view and pay their E-toll bill.
According to the reader, they were able to get at the grace period balances using a URL that was formed as follows:
MyBroadband contacted Sanral for comment on the flaw, but by the time of publication the agency had yet to respond.
However, following MyBroadband’s questions the roads agency seems to have patched its website. Further attempts to query bills without providing a valid ID number and validation code now reportedly result in an error being displayed.
This is the latest in a series of security flaws discovered in Sanral’s E-toll website.
Shortly after E-tolls launched in December 2013, a flaw that used the same URL as above also let anyone [query the outstanding E-toll balance on a vehicle, provided they had its license plate number:
Sanral maintained that the feature was not a privacy concern, but disabled it “due to the misinformation and concerns raised”.
“The portal provided an easy way for road users travelling on the Gauteng e-roads but are not registered to establish the amount due and to allow for a secure payment through an online e-commerce gateway,” Sanral spokesperson Vusi Mona said at the time.
Towards the end of December 2013, a significant security vulnerability was reported in the E-toll website which potentially let an attacker retrieve the PIN of a user if their username was known.
Sanral called the exposing of the vulnerability a “cyber attack”.
On 20 March 2014 Sanral finally called on its users to reset their PINs:
- Massive E-toll website security flaw
- E-toll website flaw a cyber-attack: Sanral
- E-toll website security issue, PINs reset
Earlier in March, another flaw was reported that once again let anyone with an E-toll website account view the outstanding balance on any vehicle so long as they had the licence plate number:
This means that there have been at least 3 different flaws on E-toll website that exposed the outstanding balance on a vehicle, and one more serious vulnerability that Sanral took months to respond to.
Perhaps it is time that the roads agency change its approach to security on its website.