Jump to content

KPDNHEP suspends Petrol Subsidy Programme microsite which exposed users’ bank account details


zanderthunder

Recommended Posts

Thursday, 17 Oct 2019 | 1:15 PM MYT

By Angelin Yeoh

 

333461.jpg.f5b9cead682f178c3ba34d920b08d7bb.jpg

The Petrol Subsidy Programme microsite, which went live on Oct 15, is for users to find out if they are eligible for petrol subsidy, as announced in Budget 2020.

 

The Domestic Trade and Consumer Affairs Ministry (KPDNHEP) has suspended the newly-launched Petrol Subsidy Programme microsite after a tech portal reported that it exposed users’ bank account details.

KPDNHEP head of corporate communication, Yunus Tasim, said the ministry is aware and investigating the issue.
 

"Once we got the news, we decided to put the website on hold because we don't want to risk anything. We don't want users to be sceptical about our system,” he said.

He added that once the issue is rectified, the ministry will restore the system.

Lowyat had reported that once a person’s MyKad number is entered in the portal, it will reveal the last four digits of the user’s bank account number.

However, when it looked into the source code, the full account number was visible.

Yunus said the ministry will be in touch with Lowyat for more information.

“We would like to thank all the users for their patience and feedback given to us," he said.

Cybersecurity company LGMS director Fong Choong Fook said the security flaw is mostly likely due to the ministry rushing to launch the microsite.

The Petrol Subsidy Programme microsite, which went live on Oct 15, is for users to find out if they are eligible for petrol subsidy, as announced in Budget 2020.

“The bigger concern now is if someone can use the website as a tool to phish out information, just imagine what that person can do with the details,” Fong said.

“They could impersonate a bank officer and call a victim for extortion. A lot of exploitation can be done here."

Dr Aswami Fadillah Mohd Ariffin, president of Protem Digital Forensics Research Society (DFRS), said web-based development should go through security auditing at the staging level before production to avoid any security issues when the site goes online.

He said that the website developer must ensure secure coding and infrastructure design are followed before giving the go ahead for the launch.

Once the ministry rectifies the issue and rechecks again, it can give users access to the website, he added.

Fong said the issue can be rectified with a "quick fix on the coding side".

 

Source: KPDNHEP suspends Petrol Subsidy Programme microsite which exposed users’ bank account details (via TheStar Online)

Link to post
Share on other sites

Program Subsidi Petrol Microsite Found Disclosing Recipient’s Bank Account Details

 

2019-10-16-1024x578.jpg.4322325bd5850b06fbbc3a3f82a08dfa.jpg

 

Update 1.05pm 17th October – We can independently confirm that the vulnerability has been fixed, and the site is no longer displaying the account details in a publicly readable format.

 

 

Original Story 9.01am 17th October – The Petrol Subsidy Programme microsite was launched on the 15th of October by the Domestic Trade and Consumer Affairs Ministry to help recipients of the recently announced subsidy programme to check on their eligibility status online.

 

It is estimated that close to 2.9 million recipients of the Bantuan Sara Hidup (BSH) aid will be eligible for the Petrol Subsidy aid, as long as they have a vehicle registered under their name. The bulk of the data for the online check is based on the information provided during the application for the Bantuan Sara Hidup scheme, as highlighted by the honorable Minister, Datuk Seri Saifuddin Nasution Ismail during the launch.

 

While the site works as intended, we can exclusively reveal that the site is also revealing complete private banking details of the eligible recipients. Keying in an eligible person’s MyKAD number will bring up the usual details, inclusive of the Bank Name which was registered during the Bantuan Sara Hidup application as well as the eligibility amount. Similar to the BSH eligibity check, only the last four digits of the account number will be displayed.

2019-10-16-22.jpg.8e51895d86b7b0120c17d84214ef256d.jpg

However, this is where the similarities end. While the account number on the Bantuan Sara Hidup site are masked on the backend and only partially sent out, the Program Subsidi Petrol site is sending out the complete account number, and then masking it on the form itself. A quick check on the source code of the results page will reveal the complete bank account number.

2019-10-16-4.jpg.7d938970901b023f23662967567f2c79.jpg

We have tested out the resulting account number and can confirm that the account number that is displayed is the full account number and belongs to the actual owner of the MyKAD number that we used for this example.

2019-10-16-6.jpg.0e2b62783efd9b3cf7f3e66fc24eaa63.jpg

We went on and tested at least 5 more random MyKad numbers and can confirm that we were able to obtain the full account numbers of the eligible recipients in the same way as outlined above.

 

 

Local bank accounts being abused by scammers for malicious purposes have been on the rise in recent years – with the Commercial Crimes Department of the Royal Malaysian Police launching a dedicated site for members of the public to check whether accounts they are transferring or receiving money from have been flagged as mule accounts.

 

We reached out to KPDNHEP via email late yesterday evening to highlight this issue but have yet to receive any response. At time of writing, the full account numbers are still being disclosed via the source code of the site.

 

Source: Program Subsidi Petrol Microsite Found Disclosing Recipient’s Bank Account Details (Via Lowyat.NET)

 

p/s: Given is the English translation of some few Malay terms used in this article, for better understanding.
1. Program Subsidi Petrol = Petrol Subsidy Programme

2. Bantuan Sara Hidup = Household Living Aid

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...