As a matter of comedy, since the whiste-blow of privacy issues & poor security surrounding the MNIC website many people have been voicing out their past experiences kind of similar to mine. Such a case happened a year ago with a good fellow, Dhiruj Babana, name changed for security reason (^^,)

Dhiruj was shocked when he contacted the Mauritius Police Department via the Mauritian Government Portal last year. The online support tool wasn’t a private channel but instead everyone’s message would appear publicly. To this Dhiruj reacted angrily & the operator on the other side who seemed “unresponsive” to the previous citizen’s queries (since 45 mins), all of a sudden disconnects Dhiruj.

<a href=”https://hacklog.mu/privacy-issues-govt-portal-new/dhiruj-revelation-fb/#main” rel=”attachment target=”_blank” wp-att-5452”>dhiruj-revelation-fb</a>

From the URL in the address bar, we can note that the government website was using a chat client by CuteSoft. Naturally, I had a look at the Live Support software. While the software company website didn’t impress me much, I was quite surprised that the news/announcement section has the last entry dated 09-11-2012, 12:29 AM. This left me some doubts in the mind, is it not actively developed. I dig further and I notice a vulnerability around CuteSoft Cute Editor for ASP.NET. I don’t know if the admins use this component in the backend to administer the chat client but it did disturb me as having a cross-site scripting (XSS) vulnerability which as at date still affects the software. See Kaspersky Labs which states the software as unpatched and cert.org states that the impact could be as follows:

A remote attacker may be able to disclose sensitive information, steal user cookies, or escalate privileges.

Is this piece of software still being used or lurking on the government servers, I don’t know, I can’t say.