Was The Mauritius National ID Card Website Vulnerable??
Nitin Sookun, a young Mauritian Linux enthusiast and blogger discovered vulnerability on the MNIC website recently. On his personal blog, he published about what he discovered.
According to the article, he came across this vulnerability while visiting the website for information regarding the deadline for the registration of the new ID Card. Not getting any information, he decided to click on the contact form to submit a query. He was surprised to see that the contact form was designed using Google Docs and on top right corner of the form, he discovered the option of "Request Edit Access". As the website was not protected with SSL and was requesting too much of personal information in the form, the young Mauritian decided to test the validity of the form first. He entered some dummy data and submitted the form. He received a notice that the query was recorded and on the same page, he had the option of seeing previous responses. Tempting to see what could that be, he clicked on the link and here was the surprise, every person who submitted queries had their private information listed there, name, national ID number, phone number, age, email addresses and the queries/complaints they submitted.
By the time of publishing, the contact page was unavailable. Mr Sookun updated his article twice, first to mention about the patching of the flaw and secondly to publish about the HTML source code of the contact form.
Our readers can have a look at original article [Click Here!]
According to the article, he came across this vulnerability while visiting the website for information regarding the deadline for the registration of the new ID Card. Not getting any information, he decided to click on the contact form to submit a query. He was surprised to see that the contact form was designed using Google Docs and on top right corner of the form, he discovered the option of "Request Edit Access". As the website was not protected with SSL and was requesting too much of personal information in the form, the young Mauritian decided to test the validity of the form first. He entered some dummy data and submitted the form. He received a notice that the query was recorded and on the same page, he had the option of seeing previous responses. Tempting to see what could that be, he clicked on the link and here was the surprise, every person who submitted queries had their private information listed there, name, national ID number, phone number, age, email addresses and the queries/complaints they submitted.
By the time of publishing, the contact page was unavailable. Mr Sookun updated his article twice, first to mention about the patching of the flaw and secondly to publish about the HTML source code of the contact form.
Our readers can have a look at original article [Click Here!]
Disclaimer
We only provide news relating to IT Security and hacking. We make no claim, promise, or guarantee about the accuracy, completeness, or adequacy of the contents of the original article, and expressly disclaim liability if ever there has been any unlawful act by the author of the original article.