It appears that one of the Inland Revenue Board’s (LHDN) payment portals has a potential data exposure concern. One of our readers has tipped us about a vulnerability which allows unauthorised individuals to view personal details including full name, IC number, address, email and phone number.
The payment portal in question has a receipt API which generates slips in PDF format. However, the slips are accessible publicly by going through the running numbers and they can be viewed without logging in. As shown above, the PDF slips contain personal information which could be misused for nefarious purposes if they fall into the wrong hands. It could also be a potential source for data harvesting.
All government agencies and departments must take proactive steps to safeguard personal information. By right, these slips should only be accessible to the intended user. Our tipster suggested that a possible solution is to use UUID (Universal Unique Identifier) as the slip ID so that it is more random and harder to tamper with compared to the current running number implementation.
We’ve notified and contacted LHDN’s Communications and Security Division on the matter.
