Mauritius National ID Card website, the code quality

As it happens, thanks to the support of L'Express, it seems more & more citizens are now drawing attention to the flaws in the Government websites. Yes, I did mention website with an "s". Nevertheless, let's keep the attention to MNIC. In the previous article, Mauritius National ID Card website – Your privacy compromised, I highlighted the security flaw the webmaster(s) left when creating the feedback/complaint form using Google Docs.

However, I did also check the page sources to have a look at the code quality. It was a horror. You find JavaScripts at places you shouldn't. You find HTML tags closing without even opening at first, I call them the ghost tags.

wtfperminute

Screenshot from www.mnic.mu

See for example, if you view the source of the home page, you should find this piece of JavaScript:

It looks harmless. Hmm, have a closer look at following lines:
var url="http://www.mnic.mu/files/newsletter/capture.php";
url=url+"?txtemail="+email+"&lang=1";
xmlhttp.onreadystatechange=stateChanged;
xmlhttp.open("GET",url,true);
xmlhttp.send(null);

It leads directly to the database of those who subscribed to the MNIC newsletter. Looking at their overall code quality so far, I wonder how secure would capture.php be.

Now, let's look at some HTML ghost tags. Still on the home page, view the source. Look out for the <head></head> tags. How many? (^^,)

As of now, I guess the website is a good project for students who wish learn about website flaws & vulnerabilities.


Before anything goes viral again, I need to clarify that no "hacking" is involved here. Viewing a webpage source was never an act of cyber-attack. For the curious minds, the following definitions portrays the term hacker in a better manner:

hacker-defined

Source: Wikipedia

Update 1

While going through the comments on the L'Express article I noticed a reader's comment about the marquee element. I used that argument on the social networks as well but maybe it should find it's place here. What's a marquee? Go to the MNIC homepage, do you notice the Latest News bar where the text annoyingly scrolls from right to left. That's called a marquee.

mnic-marquee

Screenshot from www.mnic.mu

Hover your mouse over it, does it stop/pause? Nah. The "good" web developers know of this & rant about it often. The marquee element is a non-standard element as per the World Wide Web Consortium. Read about it here and Wikipedia could help too.

As per Wikipedia the marquee was introduced in Microsoft's Internet Explorer. Other browsers like Firefox, Opera, Chrome and Safari support it just to maintain compatibility with legacy webpages.

This is something the developers of MNIC website should have known or we should we call it simply some bad code. In case you're thinking of the news tickers on websites like BBC or CNN, those are rather JavaScript scrollers which are much more intuitive to mouse actions.


Should you be wondering what's that stuff with code quality, you might have a quick read: The only valid measurement of code quality : WTFs/minute

Disclaimer

I should clarify that my article revolves only around the MNIC website. I do not speak of the whole MNIS (Mauritius National Identity Scheme) Project. I do not know about the MNIS infrastructure, its technicalities, its governance, its hosting environment, so I can't say anything about how secure or unsecure those are.

Share this post