I heard about the growing debate on the National Addressing System in the Tech Community. I have read couple of articles on the flaws and issues with usability. I decided to take a different perspective by looking at the security aspect of the entire system. In order to identify various security loopholes l decided to build my own version using CSS, HTML, JavaScript, Bootstrap and JQuery. See attached screenshots for my version. Below are the issues identified
1. I managed to map out their entire API's urls and realized l can simply make CRUD requests without any authentication. So l decided to use their own API and Database instead of creating my own Database and API
2. Ideally running from my local machine, their web server should reject any HTTP request from unknown Domain or using Basic CORS restrictions. My App managed to break through
3. Since l can make requests to their API easily, l can as well perform SQL injection.
4. I managed to get the list of all the Districts in their system with a simple HTTP Get request. See attached image
5. They keep reaching the limit of their Google MAP API usage, and l keep getting repeated warnings. Hacker can easily use their Google Map API and run billions of requests to increase their API usage charges. To test this, l run 500 requests at once. And see the attached image. Error: The API project is not authorized to use this API"
6. I did a basic Clickjacking ( a type of attack where a malicious site wraps another site in a frame) on the website and it succeeded.
7. Their input fields to enter name and phone number accept gibberish. This means that the platform is vulnerable to Cross site scripting (XSS), a type of an attack that allow a user to inject client side scripts into the browsers of other user.
8. Also, irrespective of which country l am currently located, the system generates unique code for me. Hackers would love this; because if l am located in USA, for example, l can generate millions of unique codes. Their database would be overwhelmed and eventually break down. Instead of 16.1 billion unique codes estimated by Vokacom for 27 million Ghanaians; it could be quadruple, quintuple, sextuple, septuple, octuple, ..., n‑tuple. Basically, 16,000,000,000 x n-tuple. Can you think about the massive amount of redundant data generated?
9. And the list goes on and on
The Government has very good vision for Ghana, however, Vokacom cannot deliver such a poor platform to the Government for such an incredible amount. I will encourage the Government to hire security experts to really look into this.
1. I managed to map out their entire API's urls and realized l can simply make CRUD requests without any authentication. So l decided to use their own API and Database instead of creating my own Database and API
2. Ideally running from my local machine, their web server should reject any HTTP request from unknown Domain or using Basic CORS restrictions. My App managed to break through
3. Since l can make requests to their API easily, l can as well perform SQL injection.
4. I managed to get the list of all the Districts in their system with a simple HTTP Get request. See attached image
5. They keep reaching the limit of their Google MAP API usage, and l keep getting repeated warnings. Hacker can easily use their Google Map API and run billions of requests to increase their API usage charges. To test this, l run 500 requests at once. And see the attached image. Error: The API project is not authorized to use this API"
6. I did a basic Clickjacking ( a type of attack where a malicious site wraps another site in a frame) on the website and it succeeded.
7. Their input fields to enter name and phone number accept gibberish. This means that the platform is vulnerable to Cross site scripting (XSS), a type of an attack that allow a user to inject client side scripts into the browsers of other user.
8. Also, irrespective of which country l am currently located, the system generates unique code for me. Hackers would love this; because if l am located in USA, for example, l can generate millions of unique codes. Their database would be overwhelmed and eventually break down. Instead of 16.1 billion unique codes estimated by Vokacom for 27 million Ghanaians; it could be quadruple, quintuple, sextuple, septuple, octuple, ..., n‑tuple. Basically, 16,000,000,000 x n-tuple. Can you think about the massive amount of redundant data generated?
9. And the list goes on and on
The Government has very good vision for Ghana, however, Vokacom cannot deliver such a poor platform to the Government for such an incredible amount. I will encourage the Government to hire security experts to really look into this.
0 comments:
Post a Comment