MY: 1pengguna site hit by security breach, 2,000 accounts exposed (updated)
Shannon Teoh reports:
KUALA LUMPUR, June 10 — The government’s brand new price check portal has been hit by a security breach, allowing hackers to obtain details such as email addresses and contact information of over 2,000 registered users which security experts say can be used to steal financial data in a roundabout way.
The breach follows 1 Malaysia Pengguna Bijak’s (1MPB) immediate outage after its launch on Tuesday, which government officials blamed on teething problems.
Online community portal Lowyat.net reported this morning that there were “several vulnerabilities” in the RM1.4 million 1pengguna.com site that allowed hackers to pull “signup details, usernames, email addresses and hashed passwords (encrypted).”
Read more on The Malaysia Insider.
Update: TheStar Online has some additional details worth noting, including:
Lowyat.net founder and chief executive officer Vijandren Ramadass said an SQL injection (a code injection technique that exploits a security vulnerability in the database) could be used on the price watch portal to retrieve the entire database remotely.
He added that a group of hackers calling themselves The Rilekscrew had exposed the flaw in the site.
Vijandren added that another local website, kenahack.com, had also published an article about the hacking and even listed out in detail how to retrieve the database there.
Vijandren added that he sent an e-mail to the administrators of 1pengguna.com explaining the vulnerability.
However, after two days, nothing had been done to secure the servers.
The news story identifies Sands Consulting Sdn Bhd as the contractor responsible for the site.