So the National Traffic Information System (NaTIS) recently launched a new website where you can book for various driving licences / renewals online. The website itself seems fairly slick and fast, and it’s good to see initiatives like this coming from government, as anyone who’s spent any time at a driver’s licence department will know.
As an example, if you choose to book a driver’s licence renewal, you are prompted for the type of identification, as well as, say, your ID number. What if you make a typo? Well, not to worry, it will validate your ID number for you.
That’s neat. What if you typo’d so hard, you entered a valid, but non-existent ID number? Not a problem.
Well, they’ve definitely tried really hard. Uh… did they just expose a service we can use to check if an ID number exists? That’s… odd. What if you typo’d an ID number of someone who existed, but didn’t have a driver’s licence?
Oh dear. So we can use this to check if someone has a valid driver’s licence? That’s a little concerning. And what happens if you enter an ID number of someone who does exist?
Well, that’s not good.
To summarize, Natis has exposed a service that, after filling in a Captcha, you can enter an ID number and be told:
- If the ID number is valid,
- If the ID number has been assigned to someone,
- Whether or not that someone has a driver’s licence,
- If they have a driver’s licence, what their first and last names are.
That’s a lot of info to just be leaking out all over. I assume that wasn’t intentional. Looking at the page for applying for a learner’s licence, I think you may be able to retrieve names about someone who doesn’t have a licence yet as well, but I haven’t confirmed.
A good initiative, but someone really needs to be vetting these things before they go out.