Update: The Ministry says the security flaw has been fixed and the Petrol Subsidy Programme microsite is now back online.
The Domestic Trade and Consumer Affairs Ministry (KPDNHEP) has suspended the newly-launched Petrol Subsidy Programme microsite after a tech portal reported that it exposed users’ bank account details.
The Ministry’s head of corporate communication, Yunus Tasim, said the ministry is aware and investigating the issue.
“Once we got the news, we decided to put the website on hold because we don’t want to risk anything. We don’t want users to be sceptical about our system,” he said.
He added that once the issue is rectified, the ministry will restore the system.
Lowyat had reported that once a person’s MyKad number is entered in the portal, it will reveal the last four digits of the user’s bank account number.
However, when it looked into the source code, the full account number was visible.
Yunus said the ministry will be in touch with Lowyat for more information.
“We would like to thank all the users for their patience and feedback given to us,” he said.
Cybersecurity company LGMS director Fong Choong Fook said the security flaw is mostly likely due to the ministry rushing to launch the microsite.
The Petrol Subsidy Programme microsite, which went live on Oct 15, is for users to find out if they are eligible for petrol subsidy, as announced in Budget 2020.
“The bigger concern now is if someone can use the website as a tool to phish out information, just imagine what that person can do with the details,” Fong said.
“They could impersonate a bank officer and call a victim for extortion. A lot of exploitation can be done here.”
Dr Aswami Fadillah Mohd Ariffin, president of Protem Digital Forensics Research Society (DFRS), said web-based development should go through security auditing at the staging level before production to avoid any security issues when the site goes online.
He said that the website developer must ensure secure coding and infrastructure design are followed before giving the go ahead for the launch.
Once the ministry rectifies the issue and rechecks again, it can give users access to the website, he added.
Fong said the issue can be rectified with a “quick fix on the coding side”.
Full article from TheStar:
ACE Holdings Berhad is a partner of LGMS Global, forming ACE Accelerator Network Sdn Bhd to advocate and support cyber security entrepreneurship, while also nurturing skilled cyber security professionals to meet the growing demand in this space.
ABOUT ACE HOLDINGS BERHAD
ACE Holdings Berhad is an investment holdings company and the ultimate parent to the entities in the ACE Group of Companies. Since 1992, ACE Holdings has built a reputation for pioneering innovative business models, opening up new markets and categories, and pursuing mutually beneficial collaborations with renowned multinational corporations. This is made possible by its vastly talented and experienced team, who are dedicated towards evaluating and carrying out investment strategies founded on five market sustainability pillars – high-growth enterprises, high-yielding capital market instruments, well-defined strategies, sophisticated financial modelling tools, and market innovations.