Another privacy flaw has been identified in Sanral's e-toll Web site, ITWeb has confirmed. The flaw, similar to a previous vulnerability we reported last year, allows road users to be tracked as they travel under e-toll gantries.
Armed with only a licence plate number, a snoop can query the outstanding toll balance of any motorist. If that motorist is not paying tolls directly (such as via an e-tag), the updating balance can be correlated against the list of gantry prices to deduce their exact movements. ITWeb confirmed the flaw, accessing the account balance of staff members.
This is a privacy issue, revealing a motorist's whereabouts to inquisitive employers, spouses, or potential criminals. Novation Consulting director Elizabeth de Stadler previously described it as "quite ridiculous", exposing an infringement of the Protection of Personal Information Act and potentially contravening motorists' constitutional right to privacy.
In 2013, when the earlier flaw was revealed, Sanral downplayed the impact, claiming it was the intention to allow motorists to pay each other's outstanding balances. However, it did move quickly to patch the flaw, restricting users' access to only their own balances. Unfortunately, it did not secure the underlying data thoroughly, allowing another attack to retrieve the same data.
Trivial hack
Retrieving a motorist's balance is very simple. The site's billing page embeds the licence number as a hidden field, which can be trivially modified before the form is submitted. The site then fails to validate that the licence number is correct, instead offering up the other vehicle's outstanding balance.
The request can easily be scripted to automatically scrape updated values every few minutes, providing an ongoing record of new transactions.
When ITWeb reported on the previous flaw, the site did no checking whatsoever, allowing any registered user to look up any other motorist's balance. Now the site does attempt to limit access: the developers have removed the option to openly request another user's balance, but that appears to be merely concealing the unsecured form field, but not removing it or validating it correctly.
"When there is a leak, you can't just patch it with masking tape," says technology analyst Liron Segev. "You have to fix the underlying cause of the leak. I believe over time that Sanral will continue to be probed and prodded until real sensitive information is exposed, discrediting the organisation and embarrassing Sanral and the government."
"Outa is not surprised by the number of flaws and privacy issues being exposed in Sanral's e-toll system," said spokesman Wayne Duvenage.
"Sanral's arrogance in setting up the e-toll process fell far short of many requirements, be it the regulatory impact assessment, public and business consultation and so forth. Clearly, their lack of foresight and attention to detail will trip them up in the POPI and database security matters, but will they take note and care?"
Don't ask, don't tell
ITWeb offered to share technical details of the attack with Sanral, but the agency did not reply. Earlier this week, Sanral stated: "In light of your publication admitting to hacking into our system, Sanral will no longer cooperate with ITWeb, as you are dealing with us in bad faith."
The agency has previously threatened legal action against a researcher who reported another more serious security flaw, which allowed users' accounts to be accessed and their personal details harvested.
Sanral's poor security track record continues. Aside from thousands of billing mistakes and system failures, this latest revelation follows vulnerabilities which permitted complete control of a victim's account, the earlier flaw which allowed users to be tracked, hijacking of logged-in sessions, and the revelation that the entire e-toll image database is publicly accessible, as well as DDOS attacks, bomb threats and anthrax scares.
Spokesman Vusi Mona infamously told radio listeners that the agency's position on phishing attacks was that victims should "raise your IQ".
The agency has yet to notify users of any breaches, many of which are now months old, and in the last contact ITWeb had with agency execs it was confirmed that Sanral has been unaware of attacks for weeks while they were ongoing, and had yet to establish which user accounts had been compromised.
Share