14 DAY TRIAL // A government-run website promoting the OV-chipkaart smart card, which is currently being introduced in public transportation across The Netherlands, has been found leaking sensitive private information on over 168,000 passengers. A grey-hat hacker proved that he could access the name, address, birth date, phone number or e-mail for anyone in the database, through SQL injection.
According to Webwereld, who covered (in Dutch) the security breach in detail, the vulnerable www.ervaarhetov.nl website was created to encourage a quicker OV-chipkaart adoption in the Gelderland, Overijssel and Flevoland provinces. A promotion offered through the site and called “Ervaar het OV” (Experience the OV) allowed passengers to sign-up and try out the new system for free.
The SQL injection vulnerability was discovered by a local grey-hat hacker calling himself ins3ct3d, who feels the government is rushing to deploy this system on a large scale and ignores the privacy risks in the process. "As long as the government continues to impose unsafe public systems, I feel compelled to protect and warn my fellow citizens. The government should implement its plan in a way that doesn't involve huge risks. This time it's sensitive personal data, next time your fingerprints or EHR [Electronic health record]," the hacker said [approximate translation].
SQL injection is a common type of vulnerabilities, which allow attackers to write or extract information into or from a website's database by manipulating the URL in the browser. These flaws are the result of failure to properly sanitize input passed to dynamic scripts and ins3ct3d demonstrated the hole on ervaarhetov.nl by extracting information about a Webwereld editor registered on the website.
“I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users' data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information,” Graham Cluley, senior technology consultant at Sophos, commented about the incident.