< Malaysia Government Websites Failure - Porn Comment Spams | Malaysia Boleh! - 128-year-old voter found on the electoral roll >
Tuesday, March 4. 2008
How Secure is the daftarj.spr.gov.my Website?
UPDATE: 5th March 2008, 15:48 See the screenshot below.
The election is coming soon, and for those of you who are voting, please vote wisely. One thing that catches my attention for a few months now is the http://daftarj.spr.gov.my/ website. This website is pretty straightforward - you key in your IC number, and if you are registered voter, it will display your polling center (basically where you need to poll-lah). The hacker underground in Malaysia have been telling me that the website have some flaws, most notably SQL injection. The website uses Javascript to filter unwanted characters (like spaces, quotes, etc) and sanitize the IC number. Of course if you go to the main page, you won't see the HTML source, you'll get a source page with says "cannot view source". The actual source page is at http://daftarj.spr.gov.my/daftarnewbi.asp. So basically, an attacker can modify the HTML page, and bypass the client-side filter. I will not verify whether this website is vulnerable to direct SQL injection attack, but reports from the underground seem to say so.
Another issue according to others is that the website is also vulnerable to blind SQL injection attack. Again, I have no intention to verify this.
But one thing is for sure - the privacy of registered voters are at risk. This particular website doesn't require authentication to check voting status. You can check your status as many times as you want, consecutively. This means that an attacker can write a script that generate random IC numbers. This is extremely trivial since the format of our IC number is birthdate-statecode-fourdigitcode. A five-line Ruby, Perl or Python script will achieve this - and an attacker can let his script run for days, if not months. And if he's lucky, he'll get you full name, your permanent address, your polling center, and so on. What he's gonna with the data is up to imagination.
So today I tested this manually (no, I don't have any scripts cause I am too lazy at the moment) and one thing that caught my attention is not the results that I got (yes, I can perform checks without any limitation), but rather the "Checking to" counter below the textbox. If I am right, it counts the number of checks performed. What I found is that between my manual checks (less than 7 seconds) the counter increases by 25-30. Does it mean that there are roughly 25 online users checking their voting status at the same time - or has someone written a script and start polling (heh) the database?
OK what if the programmer screwed up and had his additions all wrong - such a simple mistake anyways, right? Well, if the programmer can make a simple mistake...
The election is coming soon, and for those of you who are voting, please vote wisely. One thing that catches my attention for a few months now is the http://daftarj.spr.gov.my/ website. This website is pretty straightforward - you key in your IC number, and if you are registered voter, it will display your polling center (basically where you need to poll-lah). The hacker underground in Malaysia have been telling me that the website have some flaws, most notably SQL injection. The website uses Javascript to filter unwanted characters (like spaces, quotes, etc) and sanitize the IC number. Of course if you go to the main page, you won't see the HTML source, you'll get a source page with says "cannot view source". The actual source page is at http://daftarj.spr.gov.my/daftarnewbi.asp. So basically, an attacker can modify the HTML page, and bypass the client-side filter. I will not verify whether this website is vulnerable to direct SQL injection attack, but reports from the underground seem to say so.
Another issue according to others is that the website is also vulnerable to blind SQL injection attack. Again, I have no intention to verify this.
But one thing is for sure - the privacy of registered voters are at risk. This particular website doesn't require authentication to check voting status. You can check your status as many times as you want, consecutively. This means that an attacker can write a script that generate random IC numbers. This is extremely trivial since the format of our IC number is birthdate-statecode-fourdigitcode. A five-line Ruby, Perl or Python script will achieve this - and an attacker can let his script run for days, if not months. And if he's lucky, he'll get you full name, your permanent address, your polling center, and so on. What he's gonna with the data is up to imagination.
So today I tested this manually (no, I don't have any scripts cause I am too lazy at the moment) and one thing that caught my attention is not the results that I got (yes, I can perform checks without any limitation), but rather the "Checking to" counter below the textbox. If I am right, it counts the number of checks performed. What I found is that between my manual checks (less than 7 seconds) the counter increases by 25-30. Does it mean that there are roughly 25 online users checking their voting status at the same time - or has someone written a script and start polling (heh) the database?
OK what if the programmer screwed up and had his additions all wrong - such a simple mistake anyways, right? Well, if the programmer can make a simple mistake...
Comments
Display comments as
(Linear | Threaded)
check this out!
801018775059
800311086231
811028045577
830416610017
841207065917
851222740019
850513106435
851117106729
850802106378
850916086838
860320145365
861101105077
860208145701
860320145357
861217145011
860126145839
871205740015
870914105781
yeah...too old to vote
801018775059
800311086231
811028045577
830416610017
841207065917
851222740019
850513106435
851117106729
850802106378
850916086838
860320145365
861101105077
860208145701
860320145357
861217145011
860126145839
871205740015
870914105781
yeah...too old to vote
hehe 
nice birthyear 1880-1887.
are they still alive at 121-128 years old? lolz
nice birthyear 1880-1887. are they still alive at 121-128 years old? lolz
wohlshire...
the IC number *801018*775059 represents 18 October 1980 and NOT 1880.. LOL....
the IC number *801018*775059 represents 18 October 1980 and NOT 1880.. LOL....
Microsoft OLE DB Provider for SQL Server error '80040e14'
Line 1: Incorrect syntax near 'FUCK'.
/daftarnew.asp, line 44
Line 1: Incorrect syntax near 'FUCK'.
/daftarnew.asp, line 44
No need to make script maa, you can can go and buy it for SPR.
http://www.spr.gov.my/index/electoralrollrev.htm
SALE OF THE ELECTORAL ROLL
The electoral roll is open for sale to the public as provided under Regulation 28. The roll can be bought in hard copy form from the Operations Division of the Headquarters of the election Commission as well as from the State Election Offices.
http://www.spr.gov.my/index/electoralrollrev.htm
SALE OF THE ELECTORAL ROLL
The electoral roll is open for sale to the public as provided under Regulation 28. The roll can be bought in hard copy form from the Operations Division of the Headquarters of the election Commission as well as from the State Election Offices.
hey abu foo,u must be one of the gov sys admin r u? thats why u dont know nut bout sec. go and lepak at kedai kopi lah nuts
This is respond to chfl4gs and someOne
(Does mixing up numeric and alphabet in your nick make you l33t?
sooooo script kiddies la bro)
On the contrary, i do understand the issues
1) SQL Injection (yup it's a big deal) not doubt about it.
2) Creating script to get data that you can already get it for "free"., i don't think it leet. Just go to one of the pusat gerakan (either opposition or gomen),u can get it for "free". Just bring your own CD to burn the data.
If you want to be useful, why not create a script that can find phantom voters like in this case:
Kisah Anggota Tentera Ada Dua IC Terbongkar
http://kuda-kepang.blogspot.com/2008/03/terkini-kisah-anggota-tentera-ada-dua.html
Hope you can ready Bahasa Malaysia, don't cha?
Peace
Abu
(Does mixing up numeric and alphabet in your nick make you l33t?
sooooo script kiddies la bro)On the contrary, i do understand the issues
1) SQL Injection (yup it's a big deal) not doubt about it.
2) Creating script to get data that you can already get it for "free"., i don't think it leet. Just go to one of the pusat gerakan (either opposition or gomen),u can get it for "free". Just bring your own CD to burn the data.
If you want to be useful, why not create a script that can find phantom voters like in this case:
Kisah Anggota Tentera Ada Dua IC Terbongkar
http://kuda-kepang.blogspot.com/2008/03/terkini-kisah-anggota-tentera-ada-dua.html
Hope you can ready Bahasa Malaysia, don't cha?
Peace
Abu
"Hope you can ready Bahasa Malaysia, don't cha?"
I hate this kind of comment in my blog. Asking a fellow commenter whether he/she can speak/read Bahasa Malaysia (which one is it? Bahasa Melayu or Bahasa Malaysia?) is damn offensive, insulting, and very disrespectful. As a fellow Malaysian (I'm an Iban) I find the Abu's comment to chfl4gs_ and someOne very offensive, insulting and disrespectful.
Are the non-Malays in our country can't read/write a word of Malay?
I hate this kind of comment in my blog. Asking a fellow commenter whether he/she can speak/read Bahasa Malaysia (which one is it? Bahasa Melayu or Bahasa Malaysia?) is damn offensive, insulting, and very disrespectful. As a fellow Malaysian (I'm an Iban) I find the Abu's comment to chfl4gs_ and someOne very offensive, insulting and disrespectful.
Are the non-Malays in our country can't read/write a word of Malay?
Do you think someOne comment is insulting and very disrespectful also?
Why is so damn offensive to ask if somebody can speak/read Malay or not? Similar when you go to foreign country, do you feels insulted when Japanese asking you whether you can speak Japan or not?
This site is damn hypocrite.
Cakap tak serupa bikin like what you have in your Disclaimer.
Abu
Why is so damn offensive to ask if somebody can speak/read Malay or not? Similar when you go to foreign country, do you feels insulted when Japanese asking you whether you can speak Japan or not?
This site is damn hypocrite.
Cakap tak serupa bikin like what you have in your Disclaimer.
Abu
"Similar when you go to foreign country, do you feels insulted when Japanese asking you whether you can speak Japan or not?"
Are we in Japan? You can't even use a proper simile in your arguments.
Are we in Japan? You can't even use a proper simile in your arguments.
What kind of argument is that?
Do you assume all the visitors that come to your site is from Malaysia or Malaysian only?
This is already lari tajuk maa.
Abu
Do you assume all the visitors that come to your site is from Malaysia or Malaysian only?
This is already lari tajuk maa.
Abu
Nuts. Moo points all over. Your only concern is the poll registrar data. This shows what you really understood is just surface shallow as it sounds. Perhaps, it is too heavy for your little brain to sink in.
So the term "jahanam" adding suffix "z" makes you l33t like monkey from hell?
Read the post topic, "How Secure is the daftarj.spr.gov.my Website?" and check the comments again. Who is going off-topic? Jumped in and started yelling "you can buy the data crap". Yeah, this site is damn hypocrite. So what?
So the term "jahanam" adding suffix "z" makes you l33t like monkey from hell?
Read the post topic, "How Secure is the daftarj.spr.gov.my Website?" and check the comments again. Who is going off-topic? Jumped in and started yelling "you can buy the data crap". Yeah, this site is damn hypocrite. So what?
Ok, let's look at the original posting by Meling.
a) He stated the site is vulnerable to sql injection
b) The privacy of registered voters are at risk.
When i found the info on SPR website stated that they can sell the voters information, i'm totally surprised. Government can actually sell citizen private info and is allowable by the law. Don't you think this is damn serious issue? Does this constitute off topic? since i believe we are discussing privacy issue.
I try to highlight/share this to the rest of you and i'm surprised with "insults" that i got for sharing such information. Maybe also my fault not to elaborate my thought on my 1st posting but i don't think i'm using any vulgar or offensive words on my 1st posting to deserve unnecessary insult from you.
I really have high hope on security.org,my for intellectual and productive discussion, but it seems hopeless.
Abu
Note to myself: Never argue with idiots with big ego X 1000
a) He stated the site is vulnerable to sql injection
b) The privacy of registered voters are at risk.
When i found the info on SPR website stated that they can sell the voters information, i'm totally surprised. Government can actually sell citizen private info and is allowable by the law. Don't you think this is damn serious issue? Does this constitute off topic? since i believe we are discussing privacy issue.
I try to highlight/share this to the rest of you and i'm surprised with "insults" that i got for sharing such information. Maybe also my fault not to elaborate my thought on my 1st posting but i don't think i'm using any vulgar or offensive words on my 1st posting to deserve unnecessary insult from you.
I really have high hope on security.org,my for intellectual and productive discussion, but it seems hopeless.
Abu
Note to myself: Never argue with idiots with big ego X 1000
The insult from you was clear: "Hope you can ready Bahasa Malaysia, don't cha?"
Who's the one that start to throw the first insult?
"Hope you can ready Bahasa Malaysia, don't cha?"
I genuinely asking whether they can read Bahasa, not meant to insult anybody. Based on experience, I have friends that can understand/speak Bahasa but when in
come to read Bahasa, (especially if there is a lot of bahasa pasar ), they will totally clueless.
From your reply, i found it 's very pathethic.
You keep harping on the same issue that i'm insulting you and your ball licker but not addressing the real one.
Even you do not respond to simple question whether some0ne comment is insulting and very disrespectful also?
What really bugs me that you are practicing double standard (OK for your friends + ball licker to insult other people, but the other can't do the same or retaliate)
Aren't you site suppose to practice "freedom of speech"?
Like Master Yoda said, "Hopeless, we are".
Abu
"Hope you can ready Bahasa Malaysia, don't cha?"
I genuinely asking whether they can read Bahasa, not meant to insult anybody. Based on experience, I have friends that can understand/speak Bahasa but when in
come to read Bahasa, (especially if there is a lot of bahasa pasar ), they will totally clueless.
From your reply, i found it 's very pathethic.
You keep harping on the same issue that i'm insulting you and your ball licker but not addressing the real one.
Even you do not respond to simple question whether some0ne comment is insulting and very disrespectful also?
What really bugs me that you are practicing double standard (OK for your friends + ball licker to insult other people, but the other can't do the same or retaliate)
Aren't you site suppose to practice "freedom of speech"?
Like Master Yoda said, "Hopeless, we are".
Abu
Abu,
Yes, I know chfl4gs_ personally and I know what he's capable of. I don't know some0ne - so you're wrong in saying that (to use your word) he's my ball licker.
Abu,
If I am practicing double standards, please point out to other blog posts/comments of me doing it as well.
Abu,
As for whether or not some0ne's comments is insulting to you - with your level of argumentative skills - I am not surprised that you feel as such.
Abu,
If I am not practicing "freedom of speech", why in some posts I posted direct link to phpshell in a government web server? If I am not practicing "freedom of speech", why do your comments (and that of chfl4gs_ and some0ne's) are still displayed on this post? Heck, why do I let you use the big words like ball lickers and hypocrite, and let you openly ridicule this blog, chfl4gs_, some0ne's and my comments as well?
Abu,
Quoating Master Yoda doesn't add weight to your comment. It just make you look dumb.
Yes, I know chfl4gs_ personally and I know what he's capable of. I don't know some0ne - so you're wrong in saying that (to use your word) he's my ball licker.
Abu,
If I am practicing double standards, please point out to other blog posts/comments of me doing it as well.
Abu,
As for whether or not some0ne's comments is insulting to you - with your level of argumentative skills - I am not surprised that you feel as such.
Abu,
If I am not practicing "freedom of speech", why in some posts I posted direct link to phpshell in a government web server? If I am not practicing "freedom of speech", why do your comments (and that of chfl4gs_ and some0ne's) are still displayed on this post? Heck, why do I let you use the big words like ball lickers and hypocrite, and let you openly ridicule this blog, chfl4gs_, some0ne's and my comments as well?
Abu,
Quoating Master Yoda doesn't add weight to your comment. It just make you look dumb.
spoonfork said "Quoating Master Yoda doesn't add weight to your comment. It just make you look dumb."
Did you also used the same quote in this post?
http://security.org.my/index.php?/archives/Malaysia-Can-Counter-Cyber-Threats,-Says-Dompok.html
It's never my intention to ridicule your site but i'm just responding to the unnecessary comments that i've received earlier.
Btw, my friend (that recommended this site to me) say hi.
This friend told me that i should never mess up with security.org.my crew and should buy you drinks in case we meet
Abu
Did you also used the same quote in this post?
http://security.org.my/index.php?/archives/Malaysia-Can-Counter-Cyber-Threats,-Says-Dompok.html
It's never my intention to ridicule your site but i'm just responding to the unnecessary comments that i've received earlier.
Btw, my friend (that recommended this site to me) say hi.
This friend told me that i should never mess up with security.org.my crew and should buy you drinks in case we meet
Abu
"This is respond to chfl4gs and someOne
(Does mixing up numeric and alphabet in your nick make you l33t? sooooo script kiddies la bro)"
Isn't this an insult?
"Never argue with idiots with big ego X 1000"
Cool, now I finally found something in you that I agreed with.
(Does mixing up numeric and alphabet in your nick make you l33t?
sooooo script kiddies la bro)"Isn't this an insult?
"Never argue with idiots with big ego X 1000"
Cool, now I finally found something in you that I agreed with.
The question is ...
How secure is the daftarj.spr.gov.my website?
The answer is ...
Not secure.
How secure is the daftarj.spr.gov.my website?
The answer is ...
Not secure.
Add Comment
Before you post a comment, please take note of the following guidelines:
- Commenting is provided as a courtesy only.
- Please be brief and relevant to the post.
- Please be polite even in disagreement with us or others.
- Support claims you wish to make using sources and links.
- No personal attacks, name calling, or commercial commenting.
- Anyone creating false or multiple identities will be banned.
- If you don't have a cogent argument, you will be censored.
- If you are purposefully deceptive, you will be censored.
- No spamming or flooding.
Comment policy copied and modified from Spin Hunters.
DISCLAIMER
All data and information provided on this site is for informational purposes and on an *as-is* basis.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
Report Defacements of Malaysian Website
Tags
watchlist gcert worm exploit strong password harimau outbreak how to create password cybersecurity malaysia virus dubai myhack niser security analysis apple hitbsecconf2008 kuala lumpur pink rabbit vnsecurity leopard downadup password python edu.my conficker hitbsecconf2008 cimb phishing hackinthebox comment spam ctf mycert bank wireless lubuntu network analysis hacked hitbsecconf2008 dubai conference xss personal data privacy honeynet my-honeynet cyber terrorism scam general os x cuciotak scamming hex phishing site spam news information disclosure maybank2u hacking maybank phishing impact bro-ids sql injection malware events nsm alien_005 tools stupidity hackermalaysia joomla! hitbsecconf hitb web vulnerability defaced malaysia defacement
Recent Entries
Defaced - http://www.masjidannur.com.my
Defaced - http://orogenic.com.my/ - http://orogenicgroup.com/
Defaced - http://www.kedairakyat.com
Defaced - http://andamansetipengantin.com
Defaced - http://klse.info/.~x/
Defaced - http://{www,ict,akademik}.kedah.edu.my/
www.mampu.gov.my - hacked or misconfigured?
UMNO spends RM300 million hiring hackers to stop PKR for the next general election
Defaced - http://www.politeknik.edu.my
Defaced - http://ncer.com.my
March 24 2010
Defaced - http://orogenic.com.my/ - http://orogenicgroup.com/
March 24 2010
Defaced - http://www.kedairakyat.com
March 24 2010
Defaced - http://andamansetipengantin.com
March 24 2010
Defaced - http://klse.info/.~x/
March 24 2010
Defaced - http://{www,ict,akademik}.kedah.edu.my/
March 24 2010
www.mampu.gov.my - hacked or misconfigured?
March 12 2010
UMNO spends RM300 million hiring hackers to stop PKR for the next general election
March 12 2010
Defaced - http://www.politeknik.edu.my
March 4 2010
Defaced - http://ncer.com.my
March 4 2010
A commenter provided a list of voters over 100 years old on the electoral roll: 801018775059 800311086231 811028045577 830416610017 841207065917 851222740019 850513106435 851117106729 850802106378 850916086838 860320145365 861101105077
Tracked: Mar 04, 17:45
Three days after this post: How Secure is the daftarj.spr.gov.my Website, the IT department of the Election Commission upgraded http://daftarj.spr.gov.my/ to .NET 2.0. Questions: Does this means that the website is more secure?
Tracked: Mar 07, 13:56