Over 10 million Malaysian citizenship information was leaked due to SQLi bug

According to Malaysian media, Malay Mail reports, the School Examination Analysis System (SAPS), launched by the Malaysian Ministry of Education, was forced to go offline after finding a security breach that could expose more than 10 million citizens’ personal information.

The report pointed out that an anonymous reader said to Malay Mail on Friday evening that the Ministry of Education had previously ignored his warnings and forced him to seek help from the media.

After consulting with technical blogger Keith Rozario and Khairil Yusof, co-founder of the local technology advocacy organization Sinar Project, Malay Mail alerted to the Malaysian Computer Emergency Response Team (MyCERT). MyCERT responded to Malay Mail on Saturday at noon and the system was also offline the same day later.

SAPS is an entry for test scores. Students or parents can access student test scores online by entering the student’s MyKad number. Of course, these data can also be retrieved by the regional education offices, national registration authorities and the Ministry of Education.

“Great system, but the backend is a total failure They store millions of records of students’ detail, but they never hide this information. Some very personal details can be accessed without permission, and they are just ignoring it. The system has been flawed since day one,” the anonymous reader replied.

SAPS was launched in 2011. The reader told Malay Mail that this vulnerability was discovered only recently by the Ministry of Education after updating the SAPS interface.

The anonymous reader claimed that he could download more than 4.9 million (4,940,203) students’ data from the server because each parent’s personal information was associated with their child’s individual, so there may be a total of more than 10.3 million Malaysian Citizens are affected.

According to statistics released by the Department of Statistics Malaysia in the first quarter of this year, there are currently 28.7 million citizens in Malaysia, which means that data leakage may have affected more than one-third of the total number of Malaysian citizens.

Malay Mail has determined that this anonymous reader downloaded nearly 1GB of data from the server, but has not been able to verify its authenticity. The reader has now deleted his copy of the data, but it may have been disclosed to other media.

Rozario, who had contacted some of the data, said that although the number of affected people is less than expected, the type of data affected is more extensive.

Rozario said: “It’s quite easy to piece together who a child’s classmates are, and who the parents of the classmates are as well, creating a very rich data set of a child’s schooling friend and family.”

“The exploit was an SQL injection, which could be performed by a child. Just take a lesson and around five hours, and they can get all the database from the server,” he said.