Since the introduction of the New ID Card in Mauritius, a lot of people have shown uncertainty and doubts over the project. Many have also speculated the incompetency of local bodies over security and data protection. Media outlets have also published several contradicting speeches of public figures. Well, I'm not going into the whole story of the New ID Card project. You may read about it on the Mauritius National Identity Card website.
This article is more something that gave me goosebump while I was looking for information regarding the deadline for the New ID Card registration. A lot of people have recently questioned me about the deadline and consequences following non-registration by the deadline. I thought I could get those information from the website but alas, nope. I thus clicked on the contact form option under the Contact tab in the website's menu to submit a query. To my great surprise the contact form was designed using Google Docs. On top of that there was even a Request Edit Access option on the top right corner of the form. Wait. Could I, a simple citizen just request access to edit this form? I could not digest that. The whole MNIC website isn't protected with SSL either.
Anyway, I was more concerned at getting the information I need, so I proceeded further. The form asks for your name, National ID number, phone number among other personal details. I found this dubious. Is it wise to give this much of info over what-appears-to-be-an-unsecured channel so far. I thus decided to test the validity of the form first. I put there some dummy data and submitted the form. If all goes well, I should fill the form with the correct ones, fair enough.
What do I see after submitting the dummy data?
After I submitted my query I'm given a notice that my query has been recorded. Hey, but what's that link about See previous responses.
Naturally, I was tempted to check it. I click and what the horror!! Every person who submitted queries so far, their names, National Identity numbers, phone numbers, age, email addresses, including the queries and complaints they made were all published.
[gallery type="rectangular" ids="5306"]
With that my fellow Mauritians, I call your privacy has been been compromised.
The flaw was corrected within hours from this post. However, the option to request access is still there (^^,) ...
One last question remains unanswered though, to whom belongs that Google Drive account? Are Government officers allowed to keep public information on the cloud? If yes, are they not supposed to abide to minimum level of security?
Now a real #facepalm. Originally, the developer created a simple HTML form but for some reason he/she/they decided to abandon it, oh, instead of removing the piece of code they simply commented. See code excerpt from the page: http://www.mnic.mu/en/contact-26/contact-form-29.html
For curious enthusiasts viewing a webpage's source code is simple, if you're using Firefox right-click on the page & click View Page Source.
Please fill in the below contact form and
an officer will contact you very soon.
Please fill in all fields.
As of Friday night, around 20h00, the page contact-form-29.html was removed from the server, without any notice to readers.
Monday night, L'Express publishes an article highlighting this flaw. Consequently, I shared some code quality findings in this article: Mauritius National ID Card website, the code qualityDisclaimer I should clarify that my article revolves only around the MNIC website. I do not speak of the whole MNIS (Mauritius National Identity Scheme) Project. I do not know about the MNIS infrastructure, its technicalities, its governance, its hosting environment, so I can't say anything about how secure or unsecure those are.