The South African Social Security Agency (Sassa) is vulnerable to unauthorised access, data breaches, service disruptions or reputational damage if its vulnerabilities are exploited.
These were among the findings from a preliminary investigation report focusing on Vulnerability Assessment (VA) and Penetration Test (PT) of the Social Relief of Distress (SRD) online system, presented to the portfolio committee by the Department of Social Development (DSD) and Sassa on Wednesday.
The investigation came after two first year Stellenbosch University students did their own investigation and found that Sassa’s system was vulnerable.
The students discovered several alleged vulnerabilities using a combination of randomly generated South African ID numbers and public access to Sassa’s Application Programming Interface (API). They found that the API allowed an unlimited number of requests, which the students exploited to check the application status of thousands of ID numbers without restriction. The students also claimed that the API exposed sensitive details, such as whether a person had applied for an SRD grant or not.
DSD noted that the students identified unusually high application rates for individuals born in certain years, February 2005 and from 2003 to 2006, suggesting possible fraud or identity misuse. Grants appeared linked to applications with their own ID numbers, despite never having applied.
On the department’s own preliminary investigation findings, it stated: “The results from the web assessment tool (Acunetix) indicate that the overall threat level for the system is classified as Threat Level 2 (Medium). Our assessment of the Sassa SRD web application revealed vulnerabilities that could compromise the security and functionality of the system.
These issues include weaknesses in protecting user information, securing system components, and ensuring compliance with modern security standards.
“Misconfigurations in the server allow unauthorised access to internal systems. This could expose critical data and make the system a target for malicious activities.
“The system does not properly restrict untrusted scripts from running, making it susceptible to harmful code execution.
Additionally, errors in the security settings weaken protection against certain attacks,” DSD stated. DSD added that certain directories on the server were also accessible to the public which increased the risk of exposing sensitive files, such as system configurations or database credentials.
“Important security controls that protect users’ information during web browsing are not implemented, increasing the likelihood of data leakage and misuse.”
EFF MP Paulnita Marais said the threat sounded high risk, not medium.“There’s a lot of red flags.
Is the service provider of SRD grant taking any accountability for the lack of security because they introduced this system in 2020?” she asked.
ANC MP, Altia Sthembile Hlongo said the department must focus on resolving the gaps.
“The department must present a detailed action plan to the committee, the plan must outline how Sassa and DSD will strengthen collaboration with other government agencies and key stakeholders in assessing and adapting to cyber threats.”
Addressing the media on the matter on Wednesday Social Development Minister Sisisi Tolashe assured clients that the integrity of the system remains intact, with various control measures and enhanced security in place to ensure efficient service delivery.
“Sassa will continue to invest in its systems to enhance support and positively impact the lives of our clients. We strive to balance security and improvement with client interaction, accessibility.”
Cape Times