DigiTech ‘app store’ makes ultimate password faux pas
Despite undergoing a redesign, the Department of Communications and Digital Technologies’ (DCDT’s) DigiTech “app store” featured a security red flag.
A reader alerted ITWeb to a security flaw in the DigiTech website that could allow anyone to login with the word “admin” as the username and password.
News of the flaw followed ITWeb’s report that the DCDT spent R743 645 to redesign its controversial “app store”.
DigiTech’s redesign process, which was concluded on 30 March, was prompted by the fact that the platform “did not meet DCDT specifications”, communications minister Mondli Gungubele said in a written Parliamentary response.
Among the new features and improvements included in the redesign was that “the security of the new DigiTech site has been enhanced”, Gungubele indicated.
Following the alert from the reader, an ITWeb employee logged-in using “admin” as the username and password, gaining access to the backend of the site.
Once logged-in, a security notice popped up on the screen, with a warning to change the password. “The password you just used was found in a data breach. Google Password Manager recommends changing your password now.”
The DigiTech site also showed that @admin has been a “member for seven years five months”.
It’s unclear how long the login details were “admin”, but when the ITWeb employee tried to access the site again today, they were unable to.
News of the security flaw in the redesigned site was communicated to the department, which said it escalated the matter to the State IT Agency (SITA), which did the redesign of DigiTech.
The department says: “According to SITA, the issue of the username and password to access the site being both admin has already been remediated/resolved.
“On the admin being a member for seven years and five months, according to SITA, the initial theme was created 7.5 years ago and it has gone through multiple version updates without recreating the admin user. This only shows the age of the user account from the initial inception of the version.”
In terms of usage of the “app store”, the department says the site currently has six users who are part of the system administrator user group.
Additional to this, there are 47 SMME active users, 13 blocked SMME users and three profile approvers.
Officially unveiled in May last year, by former communications and digital technologies minister Khumbudzo Ntshavheni, the DCDT-supported site was described as a platform for digital products/applications developed by SMMEs in SA.
According to the department, its purpose is to collect data about digital products developed in South Africa with an aim of supporting the products’ technology enablement, and promote and expand their adoption and use.
Through DigiTech, the DCDT said it sought to promote South African-developed digital products in other markets, while facilitating partnerships with other countries on co-promotion of local technologies.
The communications ministry added the platform serves as a digital distribution service developed, maintained and operated by the South African government.
DA MP Solly Malatsi also criticised the DigiTech platform, saying it looked like a “Grade Eight IT project”.
Amid the rising number of security breaches, cyber security experts have warned that most South African citizens and firms still don’t take password management as seriously as they should.
According to proprietary password manager NordPass, the top five most common passwords used in 2021 were: 123456, 123456789, 12345, qwerty and password – with all passwords taking less than one second to crack.
The TransUnion hackers previously revealed it was effortless to break into the credit bureau’s IT systems because it had used the word “password” as its password.