The Administrative Adjudication of Road Traffic Offences (Aarto) act was recently deemed unconstitutional by the High Court on 13 January 2022. The act planned to introduce a demerit points system on motorists’ licences in the case of infringements.
Now it has been found that the online portal that logs these infringements exposed the personal data of every South African who received an infringement notice under the law. This is according to a report by MyBroadband that received information from an anonymous independent security researcher.
The researcher found that the exposed information included full names, ID numbers, residential or business addresses, phone numbers, vehicle registration info and the infringement details. That right there is a treasure trove of personal information.
Aarto’s API ache
According to the source, Aarto used an API (an Application Programming Interface), which is software that allows communication between two applications, called RESTful. This API was used to allow motorists to check their infringements/fines on the online portal.
None of the information was secured with a password feature. Which meant anyone could go to the API address, input a random guess as an infringement notice number and reach a random citizen’s personal information as plain text.
Read more: You can now renew your vehicle licence disk online with Pick n Pay – here’s how
This address is no secret – anyone visiting the Aarto website could easily find it if they were knowledgeable enough.
The API was secured after MyBroadband made the agency aware of the security flaw. No more personal information was accessible after the portal was briefly taken offline. “The security researcher who reported the issue checked the Aarto website and found that the API now uses cryptographic tokens to authorise requests,” it reports.
This vulnerability was accessible for an undisclosed amount of time. South African motorists’ information was exposed for that time period. Lucky for those with fines (never thought we’d say that line), motorists can still check their fines. And the API is secured now. Phew.