The recent launch of Ghana Post GPS by the president of Ghana, His Excellency Nana Akufo Addo came along with a lot of mixed feelings. While a portion of Ghanaians, both residents and non-residents, were excited another section didn’t share in their joy.
Today CBT Tech News features Ernest Appiah and his view on the Ghana Post GPS App.
National Addressing System (GPS): Technical Review (Security Issues)
1. I managed to map out their entire API’s URLs and realized l can simply make CRUD requests without any authentication. So l decided to use their own API and Database instead of creating my own Database and API.
2. Ideally running from my local machine, their web server should reject any HTTP request from unknown Domain or be using Basic CORS restrictions. My App managed to break through.
3. Since l can make requests to their API easily, if l want to, l can explore the possibility of performing SQL injection.
4. I managed to get the list of all the Districts in their system with a simple HTTP Get request. See attached image
5. They keep reaching the limit of their Google MAP API usage, and l keep getting repeated warnings. Hacker can easily use their Google Map API and run billions of requests to increase their API usage charges. To test this, l made 500 concurrent requests. And see the attached image. Error: The API project is not authorized to use this API.”
6. I did a basic Clickjacking ( a type of attack where a malicious site wraps another site in a frame) on the website and it succeeded.
7. Their input fields to enter the name and phone number accept gibberish. This means that the platform is vulnerable to Cross Site Scripting (XSS), a type of an attack that allows a user to inject client-side scripts into the browsers of other users. (Update: Issue has been fixed)
8. Also, irrespective of which country l am currently located, the system generates a unique code for me. Hackers would love this; because if l am located in USA, for example, l can generate millions of unique codes. Their database would be overwhelmed and eventually break down. Instead of 16.1 billion unique codes estimated by Vokacom for 27 million Ghanaians; it could be quadruple, quintuple, sextuple, septuple, octuple, …, n‑tuple. Basically, 16,000,000,000 x n-tuple. Can you think about the massive amount of redundant data that would be generated? (Update: Issue has been fixed)
9. And the list goes on and on…
The Government has a good vision for Ghana, however, Vokacom cannot deliver such a poor platform to the Government for such an incredible amount. I will encourage the Government to hire security experts to really look into this.