Pangkalan Data Utama (PADU) made its official debut yesterday after a grand launch event in Putrajaya. However, several flaws were discovered inside the government’s latest signature digital project within just hours of its public rollout.
This critical flaw revolves around the user’s password
While the most talked about flaw was the MyKad-related issue which was raised by the former Deputy Minister of International Trade and Industry, Ong Kian Ming, there was another issue with the centralized database that is even more critical. According to developer and X user @drmsr_dev, the user password for PADU account can be changed easily just by using one’s IC number.
In a set of screenshots that were shared through the popular social media platform, drmsr_dev demonstrated that this flaw can be taken advantage of easily through API calls by someone savvy enough. He has since published an in-depth analysis of the security flaw through his Hashnode blog.
The Ministry of Economy acknowledged the security issue
A few hours after this issue was exposed to the public, drmsr_dev noted in a follow-up tweet that the team behind PADU had changed the API to fix the flaw. In addition to that, the Ministry of Economy has since acknowledged the flaw through a tweet earlier today.
Aside from saying that the agency is constantly monitoring feedback from the public, the tweet also noted that improvements are currently being implemented as we speak. Furthermore, the ministry deemed the discovery of the flaw and subsequent feedback as a “positive criticism”.
This may affect the public’s opinion of PADU
Since it deals with personal data that belongs to millions of Malaysians, security has always been a lingering concern for PADU. The discovery of this critical flaw certainly doesn’t help its reputation.
In many ways, it may shake the public’s confidence in the new centralized database which is supposed to help improve government policies and subsidy distribution. Let’s not forget that there have been so many data leak incidents involving government agencies such as SOCSO, JPN, and MCMC.
PADU can only meet its objective properly if it can obtain up-to-date details from the majority of the population. If the Rakyat is not confident of the government’s capability to keep their data safe and refuses to submit their details, what will then happen to the project which costs millions of Ringgit?
Many have begun to wonder if PADU has gone through enough testing or proper security audits before it went live yesterday. Even though credit must be given to the PADU’s administrator who swiftly fixed the flaw despite being discovered after working hours, it is something that should not happened in the first place.
