A hacker by the name of “Moe1” has revealed to E-toll users that their pin numbers used to login to their E-toll accounts can be easily decoded if their username is known.

The mysterious Moe1 explained that the registration page is part of a standard two-stage registration process, where you would click on a link in an email in order to confirm your account.

Moe1 pointed out that the link that is sent to the user’s email account is seriously unsafe – seeing that it provides the users pin number on the confirmation screen.

SANRAL must have thought that using asterisks to hide the pin numbers would suffice, but the numbers still appear in the source code – something anyone can access from nearly any browser.

According to Moe1, as long as you have someones E-toll username a hacker could obtain pretty much anything: ID numbers, vehicle license plate numbers, postal addresses, and payment methods. Moe1 wrote in an advisory letter:

It is great that Sanral informs you to keep your pin safe in their ‘Terms and conditions’ but it’s not very great that they give out your pin to anyone that basically requests for it.

SANRAL is yet to say, do, or think anything.

[Source : Mybroadband]