LTO exposes thousands of information due to misconfiguration


New tech problems on cybersecurity have come up unnoticed by ordinary users while we are all pre-occupied with the pandemic. As early as July of this year, the Federal Bureau of Investigation in the US and even the IATF here in the country have issued a warning about the increase of cyber attacks that would happen amid the global health crisis.

Just recently, the Land Transportation Office of the Phillippines disowned a website that looks like a legit site complete with the agency's official logo. In a Facebook post, LTO warned users not to give personal information to unverified links and accounts. This made AJ Dumanhug a cybersecurity analyst and Co-Founder of Secuna, a Philippine cybersecurity company curious and checked the website. "I've visited the website out of curiosity and it's currently running. I tried it out and it works well. The website has two main features, Driver's License Authenticator and Motor Vehicle Authenticator." Dumanhug said.

The Driver's License Authentication feature will ask for users' license number and birthday; once the user inputs the needed information and press submit, it would then give the name of the owner of the license and the expiration date.

The Motor Vehicle Authenticator would ask users to submit just the Motor Vehicle File Number and would show sensitive information such as the make, plate number, engine number, chassis number, registration expiry date and the name of the owner.

Users of the LTO Facebook page were confused and concerned. If this is not a legitimate LTO site, how come the information that they get when they input their details are correct? As the LTO disowned this site, this is clearly a breach of personally identifiable information of vehicle owners. Check the conversation here https://www.facebook.com/lto.cdmpao/posts/4945108275506974

In AJ Dumanhug's further research, he found out that the rogue website collecting data from users is just using the API endpoint from lto.net.ph an official webiste of the LTO, to retrieve the information. What's disturbing is that, upon analyzing, whoever is behind the lisensya.info is saving every successfully validated license and every authenticated motor vehicle. As of 6:07am of November 8 the site has already collected 9,733 driver's license details and 18,702 MV File Number with complete information.

If you have used the website lisensya.info there is a big possibility that you would be a victim of identity theft in the near future.

"This is clearly LTO's fault for not implementing proper rate limitation and security measures in the agency's API endpoints." Dumanhug said.

Users were also put at risk when the LTO did not properly mask user information and failed to review if all data sent back as a response to a query are necessary.

AJ Dumanhug also warned drivers and car owners not to use the linsensya.info website.

Here's the link of AJ Dumanhug's write up about the incident https://atom.hackstreetboys.ph/lisensya-website-and-why-you-should-never-use-it/

There is one thing though that I noticed. AJ Dumanhug in his research used a legitimate driver's license and motor vehicle number details. He got the information by just searching it on Google. This is the danger of oversharing that we have been warning users about. In this case, a media company (not Manila Bulletin) and a legit website shared photos without blurring the details making the owners of that information vulnerable to cyber attacks.