Update: it looks like the CATPCHA is now required for every request, so at least an automated leak is out. This still allows for targeted looking up of data though, like investigating job applicants, or anyone for whom you have an ID number, which probably isn’t ideal.
So the National Traffic Information System (NaTIS) recently launched a new website where you can book for various driving licences / renewals online. The website itself seems fairly slick and fast, and it’s good to see initiatives like this coming from government, as anyone who’s spent any time at a driver’s licence department will know.
As an example, if you choose to book a driver’s licence renewal, you are prompted for the type of identification, as well as, say, your ID number. What if you make a typo? Well, not to worry, it will validate your ID number for you.
That’s neat. What if you typo’d so hard, you entered a valid, but non-existent ID number? Not a problem.
Well, they’ve definitely tried really hard. Uh… did they just expose a service we can use to check if an ID number exists? That’s… odd. What if you typo’d an ID number of someone who existed, but didn’t have a driver’s licence?
Oh dear. So we can use this to check if someone has a valid driver’s licence? That’s a little concerning. And what happens if you enter an ID number of someone who does exist?
Well, that’s not good.
To summarize, Natis has exposed a service that, after filling in a Captcha, you can enter an ID number and be told:
- If the ID number is valid,
- If the ID number has been assigned to someone,
- Whether or not that someone has a driver’s licence,
- If they have a driver’s licence, what their first and last names are.
That’s a lot of info to just be leaking out all over. I assume that wasn’t intentional. Looking at the page for applying for a learner’s licence, I think you may be able to retrieve names about someone who doesn’t have a licence yet as well, but I haven’t confirmed.
A good initiative, but someone really needs to be vetting these things before they go out.