Drivers who’ve registered for Gauteng’s controversial etoll system could find their personal details compromised thanks to a vulnerability discovered in the online account management pages of the automated tagging system.
Business tech site ITWeb was alerted to the vulnerability by a reader, who says that he had tried to bring it to the attention of etoll operator SANRAL almost a year ago. The electronic tolling gantries are due to be turned on by the end of the year, following numerous legal attempts to force the abandonment of the project.
We’ve seen evidence of the exploit in action, which has been confirmed to exist by experts talking to ITWeb. The risk factor has been played down due to the complexity of the method required to exploit the security loophole, which involves a ‘man in the middle‘ attack that requires the attacker to be on the same network as the etolls user and able to intercept a session cookie supplied by the secure area of the etoll website. The attacker can then log-in using the same cookie at will. As a result, it isn’t exposing large amounts of data and should also be easy to fix, notes Dominic White of SensePost.
Fortunately, the attack is not simple and is greatly limited in scope. While the episode reflects poorly on Sanral, the risk to e-toll customers is small. An attacker would have to be present on the same physical network as the e-toll user and conduct a comprehensive man-in-the-middle attack, in which case far more than e-toll data would be at risk.
Had the exploit remained undetected, however, the greatest risk to large amounts of data would have been if staff at an ISP exploited it en masse against their users. Like previous security flaws in government databases, under current legislation the public would have no right to know how many accounts had been breached or even that an attack had taken place. Companies will be compelled to report data loss under the forthcoming Protection of Personal Information (POPI) legislation, however.