Privacy issues with Govt Portal, not new

May 22, 2014

As a matter of comedy, since the whiste-blow of privacy issues & poor security surrounding the MNIC website many people have been voicing out their past experiences kind of similar to mine. Such a case happened a year ago with a good fellow, Dhiruj Babana, name changed for security reason (^^,)

Dhiruj was shocked when he contacted the Mauritius Police Department via the Mauritian Government Portal last year. The online support tool wasn’t a private channel but instead everyone’s message would appear publicly. To this Dhiruj reacted angrily & the operator on the other side who seemed “unresponsive” to the previous citizen’s queries (since 45 mins), all of a sudden disconnects Dhiruj.


From the URL in the address bar, we can note that the government website was using a chat client by CuteSoft. Naturally, I had a look at the Live Support software. While the software company website didn’t impress me much, I was quite surprised that the news/announcement section has the last entry dated 09-11-2012, 12:29 AM. This left me some doubts in the mind, is it not actively developed. I dig further and I notice a vulnerability around CuteSoft Cute Editor for ASP.NET. I don’t know if the admins use this component in the backend to administer the chat client but it did disturb me as having a cross-site scripting (XSS) vulnerability which as at date still affects the software. See Kaspersky Labs which states the software as unpatched and states that the impact could be as follows:

A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.

Is this piece of software still being used or lurking on the government servers, I don’t know, I can’t say.