The South African National Roads Agency (Sanral) has identified an issue relating to a limited flaw in the security of its e-tag Web site.
The flaw, which could lead to a limited sophisticated attack, could allow hackers to capture personal information, such as identity numbers, car registration details, physical and e-mail addresses, as well as cellphone numbers.
The Sanral attack, using a technique known as "session fixation", works by intercepting the user's communication with the Sanral Web site and injecting a cookie with a session ID known to the attacker, who can then access the user's e-toll page without logging in. The site trusts what appears to be a valid pre-existing cookie, instead of resetting it each time the user logs in.
Sanral spokesman Vusi Mona says initial feedback on the investigations launched have identified an issue related to the flaw. "Appropriate measures to reduce the risk have been initiated already. Our evaluation indicated that it only affects that specific account and does not compromise the overall system/data security."
Mona adds Sanral welcomes any feedback that can assist it in making the system more secure.
The reader, who alerted ITWeb to the issue, claims to have told the agency about the matter last April, but - by Tuesday evening - it had not been fixed.
Mona confirms the enquiry was followed up with the customer, and it was escalated to the claims and complaints department that followed it up. "The customer was contacted to request that he provide clarity regarding his concern."
The reader says he was called, but was unable to speak to someone with enough technical knowledge to explain the issue.
Mona adds: "Sanral takes the security of the information we receive very seriously. We carry out regular penetration testing on our system components and have state of the art firewall and intrusion prevention systems in place.
"In the light of good governance and because we take this issue so seriously, we have recently launched an external penetration test on Web site vulnerabilities to evaluate this issue independently."
Share
