It is unbelievable, but the Malaysia Ministry of Education’s website uses plain text CAPTCHA that can be copied and pasted!
Take a look at this incredulous security lapse, and find out why it could put your data at risk!
Ministry of Education Website Uses Plain Text CAPTCHA!
The recent threat by Anonymous Malaysia to attack government websites over their lack of security appears to be well-justified.
Qusyaire Ezwan spotted an incredulous security lapse in the official Malaysia Ministry of Education website – plain text CAPTCHA!
On top of that, the code can actually be copied and pasted!
Ministry of Education Plain Text CAPTCHA : A Serious Cybersecurity Risk!
The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) test is something most of us are familiar with.
It is a test that helps to identify real humans, and weed out bots, before they are allowed to access a service. This prevents bot fraud and hacking attempts.
In the Ministry of Education website, the plain text CAPTCHA was used to “secure” the retrieval of forgotten passwords for their Student Management Module.
A real CAPTCHA uses distorted images to prevent a bot from “reading” the numbers or letters, thereby ensuring that only a real human being would be able to key in the correct code.
As this screenshot shows, the CAPTCHA used in the Ministry of Education website just uses random sequences of letters and numbers in PLAIN TEXT!
This means a bot can easily copy and paste the plain text code, and bypass the CAPTCHA test.
Frankly, this doesn’t even qualify as a CAPTCHA test, because it cannot differentiate between humans and bots.
Now, the password is still sent to the registered email accounts, not to the hackers or bots. So your data is not in immediate danger.
However, this is still a SERIOUS cybersecurity risk, because a hacker can pair this design flaw with compromised email accounts.
It would allow their bots to easily and quickly make password retrieval requests for compromised email accounts, and then retrieve your Ministry of Education password.
Having access to the Student Management Module would give hackers access to a ton of information on children and their parents :
- child : name, date of birth, telephone number, home address
- school : location, class name, teacher’s name,
- parent : name, occupation, workplace address, contact number, declared salary
On top of that, many people reuse their passwords, so hackers will use the password retrieved from the Ministry of Education website on other websites and online services you may use.
If you use the same password for your banking account, for example, that would expose your banking account to the hacker.
That is why CAPTCHA is important. It doesn’t prevent hacking attempts, but it greatly slows it down by blocking bots from making mass requests.
The use of plain text CAPTCHA in an official government website is a fiasco. A basic cybersecurity checklist would have prevented software vendors from using plain text CAPTCHA in government websites.
The Malaysian government needs to take the security of official websites seriously. This is a disgrace.
Recommended Reading
- Dr Clo Disinfectant Sticks : Do They Work Against COVID-19?
- Fact Check : February 2021 Happens Once Every 823 Years!
- Did Larry King Die From COVID-19 After Surviving Cancer?
- Scam Alert : East Malaysia Seafood Agent On Facebook!
- Scam Alert : East Malaysia Seafood Agent On Facebook!
- Scam Alert : Ocean Sense Seafood On Facebook!
- Beware Of AirAsia X Scam On WhatsApp!
- Why You Should NOT Move WhatsApp Chats To Telegram!
- Can Ivermectin Really Cure Or Prevent COVID-19?
- Eurocham Leak Of Malaysia Shutdown : Please Don’t Panic!
- Why Thousands Of Vaccinated Israelis Got COVID-19 Anyway
- Focus On Fauci : These Vaccine Lies Can Get You KILLED!
- 23 Post-Vaccination Deaths In Norway : The Facts + The BS!
- Can Inhaling Steam + Supplements Prevent COVID-19?
- Can This Corona Kashayam Recipe Prevent COVID-19?
- Fact Check : Can Betadine + Listerine Prevent COVID-19?
- Is WhatsApp Forcing Us To Share Data With Facebook In February 2021?
- Hello? WhatsApp Is Already Sharing Data With Facebook!
- HUAWEI New Year Gift Scam : Don’t Click Or Share!
- Maybank B40 Subsidy Scam : Do NOT Click Or Call!
- Tesco New Year Scam Alert : Do NOT Click / Forward!
- Fake CIMB SMS Scam! Do NOT Click / Call!
- COVID-19 Email Scams + Malware Are Spreading!
Go Back To > Cybersecurity | Software | Home
Support Tech ARP!
If you like our work, you can help support us by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!
