Post updated October 20th, 2019 at 12:00 am
Update 1.05pm 17th October – We can independently confirm that the vulnerability has been fixed, and the site is no longer displaying the account details in a publicly readable format.
Original Story 9.01am 17th October – The Petrol Subsidy Programme microsite was launched on the 15th of October by the Domestic Trade and Consumer Affairs Ministry to help recipients of the recently announced subsidy programme to check on their eligibility status online.
It is estimated that close to 2.9 million recipients of the Bantuan Sara Hidup (BSH) aid will be eligible for the Petrol Subsidy aid, as long as they have a vehicle registered under their name. The bulk of the data for the online check is based on the information provided during the application for the Bantuan Sara Hidup scheme, as highlighted by the honorable Minister, Datuk Seri Saifuddin Nasution Ismail during the launch.
While the site works as intended, we can exclusively reveal that the site is also revealing complete private banking details of the eligible recipients. Keying in an eligible person’s MyKAD number will bring up the usual details, inclusive of the Bank Name which was registered during the Bantuan Sara Hidup application as well as the eligibility amount. Similar to the BSH eligibity check, only the last four digits of the account number will be displayed.
However, this is where the similarities end. While the account number on the Bantuan Sara Hidup site are masked on the backend and only partially sent out, the Program Subsidi Petrol site is sending out the complete account number, and then masking it on the form itself. A quick check on the source code of the results page will reveal the complete bank account number.
We have tested out the resulting account number and can confirm that the account number that is displayed is the full account number and belongs to the actual owner of the MyKAD number that we used for this example.
We went on and tested at least 5 more random MyKad numbers and can confirm that we were able to obtain the full account numbers of the eligible recipients in the same way as outlined above.
Local bank accounts being abused by scammers for malicious purposes have been on the rise in recent years – with the Commercial Crimes Department of the Royal Malaysian Police launching a dedicated site for members of the public to check whether accounts they are transferring or receiving money from have been flagged as mule accounts.
We reached out to KPDNHEP via email late yesterday evening to highlight this issue but have yet to receive any response. At time of writing, the full account numbers are still being disclosed via the source code of the site.