Data loophole on Malaysian VEP website plugged

Information like a driver's address, contact numbers and passport details can be seen on the Transportation Department's website by simply making an alteration to the site's URL.
Information like a driver's address, contact numbers and passport details can be seen on the Transportation Department's website by simply making an alteration to the site's URL.PHOTO: SCREENGRAB FROM ROAD TRANSPORT DEPARTMENT OF MALAYSIA

KUALA LUMPUR • The glitch on the Malaysian Road Transportation Department's Vehicle Entry Permit (VEP) website appears to be fixed, with users no longer able to see the personal data of other motorists yesterday.

The Straits Times had reported on Friday that the personal information of foreign motorists, including that of Singaporeans, could be seen on it, following a loophole.

The Malaysian Transport Ministry said yesterday that it takes data security "seriously", although it did not explain how sensitive information like a driver's NRIC number, address, contact numbers, passport details and chassis information could be seen on the website simply by making an alteration to the website's URL.

"Data security is a matter that we take seriously. It is of utmost importance to us and we are treating it with great urgency," it said.

"The VEP portal deploys a 'same-origin policy' where it only allows scripts on a first webpage to access data on the second webpage, and only if both are of the same origin. This policy prevents any malicious attempts to obtain access to sensitive data on one page to another page."

The discovery was made by accident after Singaporean driver Mohammad Hafiz "cut and pasted" the website's URL and sent it to his nephew on Friday morning to help him register for his VEP.

Mr Hafiz, 28, told ST: "When he opened the page, he was surprised he was staring at my own details and not his."

When Mr Hafiz, an IT specialist, made some changes to the URL that showed his VEP account, he could see sensitive information of other motorists in a matter of seconds.

Experts said it is possible that the data has been accessed by external parties.

ST alerted the Malaysian authorities to the data loophole around noon on Friday.

At about 5pm the same day, access to the website was blocked, with a message alerting users that maintenance was ongoing.

The ministry said yesterday that "after thorough investigation", the VEP portal is now accessible, although it did not specify the steps that it took to resolve the problem.

A version of this article appeared in the print edition of The Sunday Times on April 28, 2019, with the headline 'Data loophole on Malaysian VEP website plugged'. Print Edition | Subscribe