PUTRAJAYA,.The Ministry of Education’s School Examination Analysis System (SAPS) was taken offline yesterday, following the discovery of a security exploit that could have potentially exposed the personal details of more than 10 million citizens.
Malay Mail was alerted of the vulnerability on Friday evening by a reader, who insisted on remaining anonymous and had reached out to the media after claiming the ministry had previously ignored his warning.
The paper later alerted the Malaysian Computer Emergency Response Team (MyCERT), following consultations with tech blogger Keith Rozario, who has covered data breaches extensively, and Khairil Yusof, the co-founder of local technology advocacy group Sinar Project.
MyCERT responded to Malay Mail on Saturday noon, and the website was later taken down that same day.
SAPS is a portal for students and their parents to access their examination results online, by entering the students’ MyKad number.
The data can also be retrieved by the District Education Office, National Registration Department and the Education Ministry.
“Great system, but the backend is a total failure They store millions of records of students’ detail, but they never hide this information. Some very personal details can be accessed without permission, and they are just ignoring it.
“The system has been flawed since day one,” said the anonymous source.
SAPS was launched in 2011. The source did not indicate why he had only now alerted the ministry and the media of the vulnerability.
The extent of the data breach
The source claimed that he could download the data of 4,940,203 students from the server, which could potentially expose over 10.3 million Malaysians in total, since the information of each parent is linked to their children.
With 28.7 million citizens as at the first quarter of this year, according to Department of Statistics, it could have affected over a third of the total number of Malaysian citizens.
Malay Mail had sighted the nearly 1GB of data the source had managed to pull from the server, but has not yet been able to verify its authenticity. The source has since deleted his copy of the data, but not before allowing access to other media outlets.
Rozario, who went through some of the data, said although the number of people affected was smaller than previous breaches, the types of data affected were more wide-ranging.
“The data includes the MyKad numbers of students, and both their parents. Hence, it captures the marital status and spousal information of adults, as well as the information of their school-going children. It’s a breach that affects the entire family unit.
“Years from now, when these children grow up, get a job, and finally earn enough to have a credit card, the answer to their security question of ‘mother’s maiden name’ is in this breach,” he told Malay Mail.
Rozario said the data downloaded seemed to only impact children born between 1995 and 2006 — which also included the children’s school details, current address, and even class and teacher information.
“It’s quite easy to piece together who a child’s classmates are, and who the parents of the classmates are as well, creating a very rich data set of a child’s schooling friend and family,” he said.
Rozario said the data also involved around 450,000 teachers, which included the subjects they teach, and the schools that they are attached to. Since the range of the teachers included those aged 19 to 85, the data would presumably detail those retired as well.
In his complaint, the reader said he could monitor the teachers keying in their data into SAPS, since the information was sent over the internet without a secure HTTPS connection. Anyone else who was listening would also be able to collect similar data, he said.
He also complained about the login mechanism as “a total joke”, since the passwords were stored in a plain text document without any encryption or hashing.
“It was like a door with no walls beside it; you could just bypass it,” the source said.
He also listed several other technical problems with the system, including the failure to “sanitise” user input, which could have prevented intruders from inserting their own code into an entry field for the system to execute.
“The exploit was an SQL injection, which could be performed by a child. Just take a lesson and around five hours, and they can get all the database from the server,” he said.