The Domestic Trade and Consumer Affairs Ministry (KPDNHEP) has announced that the Petrol Subsidy Programme (PSP) microsite is up and running again after patching the major security flaw that exposed individuals’ bank account information.
The microsite, which serves as an easy platform for Malaysians to check on their eligibility for the PSP, was launched on Tuesday (15 October). However, tech portal Lowyat.NET discovered a vulnerability on the site, where an eligible recipient’s full bank account number can be found on the site’s source code.
The ministry suspended the microsite almost a day after being contacted on this vulnerability, which would be able to give anyone full view of an individual’s name and bank account numbers simply by keying in a MyKad number. According to Fong Choong Fook, director for cybersecurity firm LGMS, the vulnerability allows the microsite to be a tool for phishing activities, as the information gathered is enough to make them sound authentic. “They could impersonate a bank officer and call a victim for extortion. A lot of exploitation can be done here,” Fong said.
(Source: The Star)