The SSS Website Has Serious Vulnerabilities

sss

The web portals of government services don’t have the best track record when it comes to security. They’re almost comically easy to hack and even in places where you’d think they’d take security seriously they still manage to bungle basic, commonsense things, like encrypting usernames and passwords so that they don’t get read in the event of a hack – like what happened with the Commission of Elections’ voter database.

https://www.facebook.com/baquiran.brian/posts/10154037414920753

They Allegedly Didn’t Even Implement the Easy Stuff

Unfortunately, it doesn’t seem that the government has learned its lesson – take the case of the Social Security System. Brian Baquiran, Senior Director at Rising Tide Mobile Entertainment found that the SSS website did not implement several easy-to-do, best-practice security measures, like hashing and salting usernames and passwords. In laymans terms, the website stores your username and password in plain text. That means in an event of a hack (which is probably easy to do given SSS’ lack of security), hackers will be able to grab your username and password and read them without any difficulty.

What’s worse is that they also store previous passwords that you’ve used on the site as well. If you recycle any of those passwords at all, we strongly suggest that you change it, now, just in case the SSS is hit hacked.

The SSS site also does not allow special characters in passwords, making it easier for attackers to guess your password. The site also requires you to dsiable your securty settings and allow execution of insecure scripts/content for you to be able to view member information like contributions, loan status and the like. Finally, the site sends out your passwords via unecrypted mail in the even that you change your password.

That’s a lot of security flaws, especially for an insutition that handles a hell of a lot of money of citizens for social services.

You can do something about it though – you can complain about the SSS’ lack of basic cybersecurity at the National Privacy Comission, here: http://privacy.gov.ph/contact-us/.

2 comments

  1. Avatar

    it’s not even https

    • Avatar

      Exactly, first thing I look for when logging in to anything. If a site can’t even afford an ssl certificate, why trust logging in with your credentials. Thats why on my personal experience with our local gov’t, instead of hiring specialists like me which they deem expensive, they get someone who says “they know how to make websites” like its a high school project or something…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: