Natis online booking, and the government being too helpful.

So the National Traffic Information System (NaTIS) recently launched a new website where you can book for various driving licences / renewals online. The website itself seems fairly slick and fast, and it’s good to see initiatives like this coming from government, as anyone who’s spent any time at a driver’s licence department will know.

Can’t stop progress.

As an example, if you choose to book a driver’s licence renewal, you are prompted for the type of identification, as well as, say, your ID number. What if you make a typo? Well, not to worry, it will validate your ID number for you.

Neat

That’s neat. What if you typo’d so hard, you entered a valid, but non-existent ID number? Not a problem.

Um…

Well, they’ve definitely tried really hard. Uh… did they just expose a service we can use to check if an ID number exists? That’s… odd. What if you typo’d an ID number of someone who existed, but didn’t have a driver’s licence?

Hold on…

Oh dear. So we can use this to check if someone has a valid driver’s licence? That’s a little concerning. And what happens if you enter an ID number of someone who does exist?

Oh dear.

Well, that’s not good.

To summarize, Natis has exposed a service that, after filling in a Captcha, you can enter an ID number and be told:

  1. If the ID number is valid,
  2. If the ID number has been assigned to someone,
  3. Whether or not that someone has a driver’s licence,
  4. If they have a driver’s licence, what their first and last names are.

That’s a lot of info to just be leaking out all over. I assume that wasn’t intentional. Looking at the page for applying for a learner’s licence, I think you may be able to retrieve names about someone who doesn’t have a licence yet as well, but I haven’t confirmed.

A good initiative, but someone really needs to be vetting these things before they go out.

Tagged with: , , ,
Posted in Government, Privacy, Security

Leave a Reply