Malasyan Central Database Hub PADU found vulnerable to insecure password reset hours after launch

published: Jan. 3, 2024

Take action: When designing a system, consider scenarios outside of the 'happy path' use. Assume that people will try to break your application, whether because of malice or just pure curiosity. Ideally build the registration and authentication logic from a well known and tested framework - because thousands of people have already tested it and weeded out the loopholes.


Learn More

Shortly after its launch by the Malaysian government, the Central Database Hub (PADU) faced a significant cybersecurity challenge. A developer quickly discovered a major flaw in PADU's API that allowed potential bad actors to change a user's login password using just their Identity Card (IC) number.

The technical teams of the Ministry of Economy, acknowledged the flaw following the developer's public disclosure on social media and took immediate action to rectify it. By the following night, the ministry confirmed that the flaw had been fixed, a claim corroborated by the developer who initially reported the problem.

Other users have raised further concerns about PADU's security. There is a process loophole in the registration process: anyone possessing an individual's IC number and postcode could potentially create a PADU account in that person's name without their consent. This issue arises because identity verification in the system only occurs after account creation. Such a loophole could prevent legitimate IC number owners from registering their own accounts.

Malasyan Central Database Hub PADU found vulnerable to insecure password reset hours after launch