On 7th June 2011, the Malaysian Ministry of Domestic Trade, Cooperative and Consumerism launched the 1Malaysia Pengguna Bijak (1MPB) portal which allows users to check the prices of consumer goods sold at 1,255 retail outlets across Malaysia.
The portal proved to be popular with users as it received 3.5mil hits since its launch, causing server downtime, according to Domestic Trade, Cooperatives and Consumerism Minister Datuk Seri Ismail Sabri Yaakob. According to him, the portal used to be under one system but have been divided to accommodate the high number of hits received. Things have returned to normal, he assured.
Not everything is fine and peachy for the portal. An article on the popular site Lowyat.net has claimed that the RM1.4 Million portal is riddled with vulnerabilities which allowed almost all the data contained on the server to be remotely accessed. This data is not limited to prices of goods but also includes such details as user names, email addresses and encrypted passwords of over 2,000 users who have registered at the portal.
The article also claimed that an email was sent to the administrators of the portal warning of such vulnerabilities but to date, nothing had been done to secure the servers.
This exposes a potential risk to the registered users as such information may be put to malicious use, e.g. identity theft or using the personal data to make phishing email scams appear more legitimate to an unsuspecting user.
“These passwords are not difficult to decrypt. You can also use these vulnerabilities to defame the entire site,” Lowyat.net founder and chief executive Vijandren Ramadass told The Malaysian Insider.
He said that a hacker group called Rilekscrew group also pointed out that “these vulnerabilities allowed almost all the data contained on the server to be remotely accessed.”
“Obviously, this is not an RM1.4 million job. Security and user privacy is a very important issue, especially on a site backed by the government,” he added.
Government must take this security vulnerabilities seriously and take the necessary steps to prevent any further unwanted leaking out of the personal data stored on the portal’s servers.