{"id":94446,"date":"2014-01-07T11:08:12","date_gmt":"2014-01-07T09:08:12","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=94446"},"modified":"2014-01-07T11:22:06","modified_gmt":"2014-01-07T09:22:06","slug":"massive-e-toll-website-security-flaw","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/94446-massive-e-toll-website-security-flaw.html","title":{"rendered":"Massive E-toll website security flaw"},"content":{"rendered":"<p>An unofficial security advisory issued by a hacker identifying themselves as \u201cMoe1\u201d has warned E-toll users that the PINs used to log into their E-toll website accounts can be easily obtained if their username is known.<\/p>\n<p>This is due to a page on the South African National Roads Agency Limited (Sanral) website which can be exploited to expose the PIN of any registered E-toll website user.<\/p>\n<p>The page is intended to be used as part of a standard two-stage account registration process, Moe1 explained, where the user would click on a link in an e-mail to confirm their account.<\/p>\n<p>However, the page at the link contains a \u201cserious security problem,\u201d according to Moe1. It provides the user\u2019s PIN on the confirmation screen.<\/p>\n<p>Although displayed as asterisks (*), creating the impression that the PIN is obscured, the PIN is actually available in clear text in the source code of the web page. The source can be easily viewed from just about any browser.<\/p>\n<p>In the security advisory, Moe1 provides a four-step guide to \u201chack an E-toll account in 5 seconds\u201d, along with a proof of concept exploit and a video of the exploit in action:<\/p>\n<p><iframe loading=\"lazy\" src=\"\/\/www.youtube.com\/embed\/cacn2vRWzF8\" height=\"338\" width=\"600\" allowfullscreen=\"\" frameborder=\"0\"><\/iframe><\/p>\n<p>According to Moe1, armed with just someone\u2019s E-toll username a hacker could obtain all kinds of sensitive information from the Sanral website.<\/p>\n<p>This includes ID numbers, vehicle license plate numbers, postal addresses, and payment methods.<\/p>\n<p>\u201cIt is great that Sanral informs you to keep your pin safe in their \u2018Terms and conditions\u2019 but it\u2019s not very great that they give out your pin to anyone that basically requests for it,\u201d Moe1\u2019s advisory concluded.<\/p>\n<p>Sanral was asked for comment but did not respond by the time of publication.<\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/vb\/showthread.php\/585998-SANRAL-E-TOLL-WEBSITE-VULNERABILITY\"><strong>Original Sanral E-toll website vulnerability thread<\/strong><\/a><\/p>\n<h3 id=\"related\">More SA website security news<\/h3>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/94332-big-cell-c-security-flaw-uncovered.html\"><strong>Big Cell C security flaw uncovered<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/94234-my-vodacom-security-flaw-exposes-subscriber-details.html\"><strong>My Vodacom security flaw exposes subscriber details<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/93533-city-of-joburg-website-hacking-case-update.html\"><strong>City of Joburg website \u201chacking\u201d case update<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/government\/93697-sanral-public-e-toll-balance-check-removed.html\"><strong>Sanral public e-toll balance check removed<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/93287-sanral-website-exposing-your-e-toll-bills-a-problem-lawyer.html\"><strong>Sanral website exposing your e-toll bills a problem: lawyer<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Your E-toll website PIN is visible to anyone with your username, a \u201csecurity advisory\u201d has warned<\/p>\n","protected":false},"author":15,"featured_media":94476,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[6525,35,17780,23072],"class_list":["post-94446","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-e-toll","tag-headline","tag-security-exploit","tag-south-african-national-roads-agency-limited-sanral"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/94446"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=94446"}],"version-history":[{"count":0,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/94446\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/94476"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=94446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=94446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=94446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}