PETALING JAYA: The Domestic Trade and Consumer Affairs Ministry has suspended the newly-launched Petrol Subsidy Programme microsite after a tech portal reported that it exposed users’ bank account details.
The ministry's head of corporate communication, Yunus Tasim, said the ministry is aware and investigating the issue.
"Once we got the news, we decided to put the website on hold because we don't want to risk anything. We don't want users to be sceptical about our system.”
He added that once the issue is rectified, the ministry will restore the system.
Local tech forum Lowyat.net had reported that once a person’s MyKad number is entered in the portal, it will reveal the last four digits of the user’s bank account number.
However, when it looked into the source code, the full account number was visible.
Yunus said the ministry will be in touch with Lowyat for more information.
“We would like to thank all the users for their patience and feedback given to us," he said.
Cybersecurity company LGMS director Fong Choong Fook said the security flaw is mostly likely the result of the ministry rushing to launch the microsite.
The Petrol Subsidy Programme microsite, which went live on Oct 15, is for users to find out if they are eligible for petrol subsidy, as announced in Budget 2020.
“The bigger concern now is if someone can use the website as a tool to phish out information, just imagine what that person can do with the details,” Fong said.
“They could impersonate a bank officer and call a victim for extortion. A lot of exploitation can be done here."
Dr Aswami Fadillah Mohd Ariffin, president of Protem Digital Forensics Research Society (DFRS), said web-based development should go through security auditing at the staging level before production to avoid any security issues when the site goes online.
He said that the website developer must ensure secure coding and infrastructure design are followed before giving the go ahead for the launch.
Once the ministry rectifies the issue and rechecks again, it can give users access to the website, he added.
Fong said the issue can be rectified with a "quick fix on the coding side".