South Africa’s private security regulator has potentially exposed the names, email addresses, mobile numbers and passwords of system administrators through a recently launched online platform.
An attacker could have used these credentials to access Private Security Industry Regulatory Authority (PSiRA) customer data or manipulate information in the system.
Fortunately, there is no evidence that a malicious actor exploited the vulnerability.
The data was exposed through a public application programming interface (API) accessible without username or password.
It was possible to query an API endpoint and receive a single XML file with all personal information and passwords for each administrative user on the system.
Administrator user passwords include “123456789”, “admin123”, “[email protected]”, and “[email protected]”.
MyBroadband contacted PSiRA after being made aware of the vulnerability.
To the industry regulator’s credit, it immediately disabled the insecure API that was leaking the data.
He also quickly negotiated a coordinated disclosure deadline when we sent out a follow-up request.
PSiRA’s Senior Director of Business and Information Systems, Hofney Moepi, explained that they launched their revamped online platform on February 3, 2022.
The regulator put it to tender August 14, 2020, with eleven companies responding by the September 18, 2020 deadline.
PTPi — People Technology Processes Integrated Pty (Ltd) — Won with an offer of R7,728,000.
Towards the end of February, PSiRA conducted a vulnerability assessment of the new system with a third-party company.
“No major or critical vulnerabilities have been identified,” Moepi said.
The assessment detected a few minor issues which PSiRA began to address, when a software developer who asked to remain anonymous alerted MyBroadband to the vulnerability.
Moepi said it appeared the problem slipped through when PTPi added features requested by PSiRA after the vulnerability assessment was completed.
“Our preliminary investigation identified that the information exposed was that of the PSiRA administration credentials and not those of our customers,” Moepi said.
“After being informed, passwords for all employee logins have been changed.”
When asked why the passwords were in the API and why the developers hadn’t hashed them, Moepi replied that they were errors that had been fixed.
The API has also been locked down. Users now need to authenticate to use it.
“Authorized API users have access to system records. However, this access is limited based on their roles,” Moepi said.
MyBroadband has contacted PTPi for comment, and it has not responded at the time of publication.