Critical password flaw found within hours of Padu database launch

 If the Rakyat is not confident of the government’s capability to keep their data safe and refuses to submit their details, what will then happen to the project which costs millions of Ringgit?

(MMO) – Pangkalan Data Utama (Padu) made its official debut yesterday after a grand launch event in Putrajaya.

However, several flaws were discovered inside the government’s latest signature digital project within just hours of its public rollout.

While the most talked about flaw was the MyKad-related issue which was raised by the former Deputy Minister of International Trade and Industry, Ong Kian Ming, there was another issue with the centralized database that is even more critical. According to developer and X user @drmsr_dev, the user password for Padu account can be changed easily just by using one’s IC number.

In a set of screenshots that were shared through the popular social media platform, drmsr_dev demonstrated that this flaw can be taken advantage of easily through API calls by someone savvy enough.


The Ministry of Economy acknowledged the security issue

A few hours after this issue was exposed to the public, drmsr_dev noted in a follow-up tweet that the team behind Padu had changed the API to fix the flaw. In addition to that, the Ministry of Economy has since acknowledged the flaw through a tweet earlier today.

Aside from saying that the agency is constantly monitoring feedback from the public, the tweet also noted that improvements are currently being implemented as we speak. Furthermore, the ministry deemed the discovery of the flaw and subsequent feedback as a “positive criticism”.

This may affect the public’s opinion of Padu

Since it deals with personal data that belongs to millions of Malaysians, security has always been a lingering concern for Padu. The discovery of this critical flaw certainly doesn’t help its reputation.

Read more here