For those among you living in the state of Selangor and KL city, you may have noticed that both the Smart Selangor and Flexi Parking apps aren’t working as intended. Well, that’s because both apps were the victims of a cyberattack recently.
The state’s MP, Amirudin Shari, confirmed the situation with a statement on via his official X profile. “I have been informed that there is a complaint regarding the parking application that cannot be accessed by users. The technical team is currently upgrading the system to migrate to a new server. While this technical process is underway, I have directed that NO parking charges or compounds will be imposed on users until this technical issue is fully resolved.”
According to Gotchas Lab, the apps and their respective systems were taken down by a collective — presumably local — calling itself “MelayuSpiritual”, who then replaced the system with a black screen, a root shell, and message in Malaysia. Translated, the message reads “they were inside, and there were “7 million users” in the database. How they got in is the part every business owner should read carefully. They used two of the oldest tricks on the internet.”
Basically, how the hackers broke into the Flexi Parking and Smart Selangor apps were through what Gotchas Lab describe as two old, preventable bugs: SQL injection, and unauthenticated file upload. Borrowing a page out of the site’s description:

“SQL injection is when an attacker types database commands into a normal input box, and the app runs them instead of treating them as plain text. It has sat near the top of web security lists for more than 20 years. The fix, parameterised queries, is built into every modern framework and costs nothing to use correctly. Unauthenticated file upload means a stranger can upload a file, often a small script, without logging in, and the server runs it. Once that works, they own the box. The fix is also standard: check who is uploading, check the file type, and never run uploaded files.”
At the time of writing, both Smart Selangor and Flexi Parking apps are still not back to working order: you can still access the app, but users will still be unable to make any payments through it.
(Source: Smart Selangor, Paultan.org, Gotchaa Lab)

