Etoll web vulnerability exposes Gauteng drivers’ data

Share on facebook
Share on twitter
Share on linkedin
Share on email

Drivers who’ve registered for Gauteng’s controversial etoll system could find their personal details compromised thanks to a vulnerability discovered in the online account management pages of the automated tagging system.

Business tech site ITWeb was alerted to the vulnerability by a reader, who says that he had tried to bring it to the attention of etoll operator SANRAL almost a year ago. The electronic tolling gantries are due to be turned on by the end of the year, following numerous legal attempts to force the abandonment of the project.

We’ve seen evidence of the exploit in action, which has been confirmed to exist by experts talking to ITWeb. The risk factor has been played down due to the complexity of the method required to exploit the security loophole, which involves a ‘man in the middle‘ attack that requires the attacker to be on the same network as the etolls user and able to intercept a session cookie supplied by the secure area of the etoll website. The attacker can then log-in using the same cookie at will. As a result, it isn’t exposing large amounts of data and should also be easy to fix, notes Dominic White of SensePost.

ITWeb writes:

Fortunately, the attack is not simple and is greatly limited in scope. While the episode reflects poorly on Sanral, the risk to e-toll customers is small. An attacker would have to be present on the same physical network as the e-toll user and conduct a comprehensive man-in-the-middle attack, in which case far more than e-toll data would be at risk.

Had the exploit remained undetected, however, the greatest risk to large amounts of data would have been if staff at an ISP exploited it en masse against their users. Like previous security flaws in government databases, under current legislation the public would have no right to know how many accounts had been breached or even that an attack had taken place. Companies will be compelled to report data loss under the forthcoming Protection of Personal Information (POPI) legislation, however.

Adam Oxford

Adam Oxford

Adam is the Editorial Director at htxt media. He has been writing about technology for almost two full decades now. In a previous life, he was the editor of PC Format and Digital Camera Shopper in the UK, before going on to work as a freelance journalist for seven years. His work has appeared in or on Stuff, The Guardian, Linux Format, TechRadar,, PC Gamer, Green Futures, The Journalist, The Ecologist and The Review. Adam moved to South Africa in 2012 and loves 3D printers, MakerFairs and tech hubs. He hates seafood. None of his friends remember this when cooking.