There is a vulnerability on the E-toll website that lets any registered user access anyone\u2019s outstanding balance, according to a report on ITWeb.<\/p>\n
The report said that exploiting the vulnerability is trivial, and indicated that all that is needed is an E-toll account and a modern browser with built-in developer tools.<\/p>\n
This is because the E-toll website billing page embeds the license number as a hidden field, which can easily be accessed and modified.<\/p>\n
Instead of preventing the user from querying the balance of a vehicle not registered to their account, the E-toll site reportedly returns the outstanding amount.<\/p>\n
It is not the first time an easy-to-exploit security flaw has been identified in the E-toll website.<\/p>\n
Earlier this year a security researcher who went by \u201cMoe1\u201d reported a vulnerability that made it possible to get the PIN of many registered E-toll users so long as their usernames were known.<\/p>\n
A hacker could then log into the victim\u2019s account and access that person\u2019s private details.<\/p>\n
At the time, Sanral\u2019s response to the disclosure of the security flaw in its website was to threaten legal action<\/a> against Moe1.<\/p>\n Prior to these security vulnerabilities being uncovered, MyBroadband reported that Sanral’s E-toll website allowed anyone to check the outstanding balance of any vehicle<\/a> that had passed under a gantry.<\/p>\n Initially Sanral said that this was a service provided to E-road users, despite the fact that to access this “feature” users had to jump through hoops.<\/p>\n The feature eventually disappeared from the E-toll website, but only after it was used to track the E-toll bill of US President Barack Obama<\/a> during his visit to South Africa for the memorial service of former president Nelson Mandela.<\/p>\n Sanral did not immediately respond to requests for comment on this story.<\/p>\n E-toll security hole: don\u2019t shoot the messenger<\/strong><\/a><\/p>\n Website security flaws in SA \u2013 shooting the messenger<\/strong><\/a><\/p>\n E-toll website flaw a cyber-attack: Sanral<\/strong><\/a><\/p>\nMore Sanral security articles<\/h3>\n