The Malaysian government officially launched the Central Database Hub (PADU) yesterday and within hours, a developer found a major flaw in the system’s API. The vulnerability reportedly allowed any bad actor to change a person’s login password using just their IC number if they wished to do so.
Following the reveal of this critical flaw, the ministry of economy replied to the developer’s tweet, stating that it took note of the finding and is making the needed improvements. According to an update by minister of economy Rafizi Ramli, this flaw has been fixed last night, with the developer in question also confirming that the API has indeed been changed.
Guess what.
I only need your IC number to override and change your PADU login password.@farhanhelmycode @rafiziramli @Dr_Uzir @lamkanahraf pic.twitter.com/m1K2mR3wP2
— useState('drmsr') (@drmsr_dev) January 2, 2024
While this vulnerability seems to be patched, former deputy minister of international trade and industry, Ong Kian Ming, has pointed out that anyone with your IC number and postcode can register for a PADU account on your behalf without your permission as the identity verification only comes after creating the account. This would lead to the actual owners of the IC numbers to be unable to register themselves.
While the relevant data is still owned by the respective agencies, Rafizi has said that PADU is owned and managed by the department of statistics. The department’s chief statistician Mohd Uzir Mahidin revealed that the database’s security is handled in-house with 49 certified data scientists and security barriers already in place.
(Source: @drmsr_dev/X)
