{"id":353473,"date":"2020-05-27T14:56:25","date_gmt":"2020-05-27T12:56:25","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=353473"},"modified":"2020-05-27T14:58:29","modified_gmt":"2020-05-27T12:58:29","slug":"data-leak-on-uif-covid-19-relief-scheme-website","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/cloud-hosting\/353473-data-leak-on-uif-covid-19-relief-scheme-website.html","title":{"rendered":"Data leak on UIF COVID-19 relief scheme website"},"content":{"rendered":"<p>The Unemployment Insurance Fund (UIF) has made changes to the website for its Temporary Employer-Employee Relief Scheme (TERS) after a security researcher reported a data leak.<\/p>\n<p>This leak allowed anyone to obtain the UIF reference numbers of employers who had been paid out, and look up how much they had been paid.<\/p>\n<p>UIF reference numbers were published as part of a <strong><a href=\"https:\/\/uifecc.labour.gov.za\/covid19\/paidEntitiesList\" target=\"_blank\" rel=\"noopener noreferrer\">list of paid employers<\/a><\/strong> on a website hosted under the Department of Employment and Labour&#8217;s domain.<\/p>\n<p>This list of paid employers can still be downloaded in CSV format from the UIF website, but it no longer includes UIF reference numbers.<\/p>\n<p>After MyBroadband and the security researcher reported the issue, the UIF reference numbers were removed from the downloadable list.<\/p>\n<p>Armed with a list of UIF reference numbers, an attacker could go to the &#8220;<strong><a href=\"https:\/\/uifecc.labour.gov.za\/covid19\/paymentStatusJsp\" target=\"_blank\" rel=\"noopener noreferrer\">My Payment Status<\/a><\/strong>&#8221; page and query the reference number.<\/p>\n<p>While this page now features a Captcha, it did not have one a few weeks ago. The Captcha was only added after we raised the matter with the UIF.<\/p>\n<p>Before the Captcha was implemented, it would have been simple for an attacker to write a script to extract the amounts paid and processing dates for each of the UIF reference numbers that were readily downloadable from the same website.<\/p>\n<p>It is also still possible to look up the payment status and amount paid for anyone so long as you have their UIF reference number, or ID number.<\/p>\n<p>The UIF does not require that you register an account or log in to look up this information.<\/p>\n<p>Screenshots of the information returned by the <strong><a href=\"https:\/\/uifecc.labour.gov.za\/covid19\/paymentStatusJsp\" target=\"_blank\" rel=\"noopener noreferrer\">My Payment Status<\/a><\/strong> page are included below.<\/p>\n<p>MyBroadband contacted the Ministry of Labour for comment and was directed to speak directly to representatives of the UIF.<\/p>\n<p>The UIF did not respond to a request for comment.<\/p>\n<h3 class=\"my-4\">UIF COVID-19 National Disaster TERS payment status screenshots<\/h3>\n<div id=\"attachment_353477\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-353477\" class=\"wp-image-353477 size-full\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status.jpg\" alt=\"Screenshot of UIF COVID-19 TERS National Disaster System payment status query form\" width=\"640\" height=\"368\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status.jpg 640w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status-600x345.jpg 600w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><p id=\"caption-attachment-353477\" class=\"wp-caption-text\">UIF COVID-19 TERS National Disaster System payment status query form<\/p><\/div>\n<div id=\"attachment_353475\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status-result.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-353475\" class=\"wp-image-353475 size-full\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status-result.jpg\" alt=\"Screenshot of UIF COVID-19 TERS National Disaster System payment status results screen\" width=\"640\" height=\"244\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status-result.jpg 640w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2020\/05\/UIF-query-payment-status-result-600x229.jpg 600w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><p id=\"caption-attachment-353475\" class=\"wp-caption-text\">UIF COVID-19 TERS National Disaster System payment status results screen<\/p><\/div>\n<h3 class=\"my-4\">Now read: <a href=\"https:\/\/mybroadband.co.za\/news\/fibre\/349938-supersonic-fixes-leak-in-data-usage-website.html\">Supersonic fixes leak in data usage website<\/a><\/h3>\n","protected":false},"excerpt":{"rendered":"<p>The Unemployment Insurance Fund has made changes to the website for its Temporary Employer-Employee Relief Scheme after a security researcher reported a data leak.<\/p>\n","protected":false},"author":15,"featured_media":84987,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[20263,35,64793],"class_list":["post-353473","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud-hosting","tag-department-of-labour","tag-headline","tag-unemployment-insurance-fund-uif"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/353473"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=353473"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/353473\/revisions"}],"predecessor-version":[{"id":353709,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/353473\/revisions\/353709"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/84987"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=353473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=353473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=353473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}