South African Police Web Application for Whistleblowers Hacked via SQL Injection

Tue, 28 May 2013 - by Robert Abela

The repercussions an exploited web application vulnerability such as an SQL Injection can have are a lot. For example in this particular case, by exploiting an SQL injection vulnerability malicious hackers published a list of whistleblowers in South Africa, endangering their lives. This example highlights the importance of identifying each and every web application vulnerability, since a malicious hacker only needs to exploit one. Full details about the attack in this blog post.

This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.

On the 17th of May 2013, a group of hackers called DomainerAnon took responsibility for the hack of the South African Police Services (SAPS) website. DomainerAnon also claims an affiliation with the popular hacking group Anonymous.

In 2012 a member of the group had already tweeted about the fact that he believed the South African Police web applications and servers were vulnerable to an attack, like many other South African government websites. Back then he did not have any motives to attack them but after the Marikana massacre incident, where several striking miners were shot by the police, DomainerAnon retaliated and hacked the South African Police Services website.

South African Police Service Website Hack Details

The South African police website hosts an ASP web application called Crime Stop. The general public can use Crime Stop to report criminal activity by submitting details through an online form. At the time of writing of this article, the ASP web application is still offline.

DomainerAnon exploited a simple SQL injection and retrieved sensitive data from the Oracle backend database. The database dump which included names, phone numbers, email addresses and ID numbers of people who submitted crime reports was uploaded online on a public website.

The 15,700 individuals, who used the website from 2005 and thought they had been providing information to the police anonymously and securely, now have their names known to everyone who managed to get his hands on the data dumps.

Included in the database dump were also the reports which range from rape cases to police brutality and beating. David Viaene posted a few censored examples on his blog. In the database dump, there were also usernames and passwords of around 40 South African Police Service personnel.  Currently, the database dump is no longer available to the public.

The South African police initially denied the hack attack until a reporter from a leading South African TV news channel called eNCA contacted people whose name and contact details were found in the database dump. The official eNCA report can be found here.

Safety Concerns

From the technical point of view, this hacking attack seems to be very typical one where sensitive information is disclosed to the public as part of a whistle blowing act. But in this case, the whistle blowers themselves are the victims. What is worrying is that every reported person who stands accused of a crime can now find the information of who reported him or her. As a matter of fact, several victims of this SAPS hack attack are very concerned about their safety.

Web Application Security Reality Check

Hacktivism, i.e. hacking to promote political believes is on the increase and people's lives are being affected by it. Every website and web application owner should take responsibility and ensure that the data of everyone using his or her web applications is secure.

There is no magic formula one can use to secure web applications. Frequent scans with a web application security scanner will definitely save the day. In this particular case, if the South African Police Services used Netsparker to scan their web application they would have discovered the SQL injection vulnerability and avoided all this kerfuffle.

Your Information will be kept private.