Hacker reveals e-toll website security flaw

 ·7 Jan 2014

An unofficial security advisory issued by a hacker has warned e-toll users that the PINs used to log into the e-toll website can be easily obtained if their username is known.

This is due to a page on the South African National Roads Agency Limited (Sanral) website which can be exploited to expose the PIN of any registered e-toll website user.

The page is intended to be used as part of a standard two-stage account registration process, the hacker told MyBroadband, where the user would click on a link in an e-mail to confirm their account.

However, the page at the link contains a “serious security problem,” the hacker said. It provides the user’s PIN on the confirmation screen.

Armed with just someone’s e-toll username, anyone could obtain all kinds of sensitive information from the Sanral website.

This includes ID numbers, vehicle license plate numbers, postal addresses, and payment methods.

“It is great that Sanral informs you to keep your pin safe in their ‘Terms and conditions’ but it’s not very great that they give out your pin to anyone that basically requests for it,” the hacker’s advisory said.

Sanral was asked for comment but did not respond by the time of publication.

This article first appeared on MyBroadband

More on e-tolls

New e-tag sales stats from Sanral

E-toll prosecutions months away

E-tolls are cheap for users: Sanral

E-tolls: pay up or else

Show comments
Subscribe to our daily newsletter