Program Subsidi Petrol Microsite Found Disclosing Recipient’s Bank Account Details

The Petrol Subsidy Programme microsite was launched on the 15th of October by the Domestic Trade and Consumer Affairs Ministry to help recipients of the recently announced subsidy programme to check on their eligibility status online.

It is estimated that close to 2.9 million recipients of the Bantuan Sara Hidup (BSH) aid will be eligible for the PSP aid, as long as they have a vehicle registered under their name. The bulk of the data for the online check is based on the information provided during the application for the BSH scheme, as highlighted by the honorable Minister, Datuk Seri Saifuddin Nasution Ismail during the launch.

While the site works as intended, we can exclusively reveal that the site is also revealing private banking details of the eligible recipients. Keying in an eligible person’s MyKAD number will bring up the usual details, inclusive of the Bank Name which was registered during the BSH application as well as the eligibility amount. Similar to the BSH eligibity check, only the last four digits of the account number is displayed.

However, this is where the similarities end. While the results on the Bantuan Sara Hidup site are masked on the backend before being sent to the browser, the bank account number on the Program Subsidi Petrol site are sent to the browser, and is simply masked with XXXX on the form. A quick check on the source code will reveal the complete bank account number.

We have tested out the resulting account number and can confirm that the account number that is displayed did indeed belong to the actual owner of the MyKAD number that we used for this example.

We went on and tested at least 5 more random MyKad numbers and can confirm that we were able to obtain the full account numbers of the eligible recipients in the same way as outlined above.

Local bank accounts being abused by scammers for malicious purposes have been on the rise in recent years – with the Commercial Crimes Department of the Royal Malaysian Police launching a dedicated site for members of the public to check whether accounts they are transferring or receiving money from have been flagged as mule accounts.

We reached out to KPDNHEP via email late yesterday evening to highlight this issue but have yet to receive any response. At time of writing, the full account numbers are still being disclosed via the source code of the site.

The post Program Subsidi Petrol Microsite Found Disclosing Recipient’s Bank Account Details appeared first on Lowyat.NET.

from Lowyat.NET https://ift.tt/2MLRzqy