DigiTech’s South African “App Store” uses R925 website template
The South African government’s DigiTech platform runs on extremely outdated software and was built using a $59 (R925) model for Drupal, an open-source content management system.
Communications Minister Khumbudzo Nthsavheni launched DigiTech on May 17, 2022, touting it as an app store that showcases South African talent.
“DigiTech serves as a digital distribution service developed, maintained and operated by the South African government,” the minister said.
“The platform allows users to browse and download applications developed on all operating systems.”
DigiTech uses an older Drupal template called Hasta which is for sale on the Envato Market.
A security researcher who spoke to MyBroadband on condition of anonymity found that DigiTech runs on Drupal 7.31, released in 2014.
The developers have tagged this older version as “not secure”.
Additionally, the web server runs PHP 5.36, an older version of the server-side web programming language that has been unsupported since 2014.
The DigiTech developer has set up the site to allow anyone to register an account and download a “digital product”, complete with images and video links.
Users had to provide ID numbers and other personal data to download their products. However, the system does not appear to perform any validation to ensure that people are not using fake or stolen identities.
DigiTech’s website does not have a TLS certificate, so users had to send personal data through an unencrypted channel.
Digital products created by the user were automatically transferred to the market section of the DigiTech site, which was nothing more than a grid of photos and videos.
South Africans quickly learned to exploit the poorly designed system and created lists pointing to videos such as Rick Astley’s hit I will never abandon you.
There were also politically themed videos, including one on the subject of nepotism.
Fortunately, the exploitation of the system was limited to Rickrolling, social comments and silent protests.
The security researcher told MyBroadband that the listing description allowed arbitrary HTML code, which attackers could have used for cross-site scripting (XSS).
This code would have been triggered when clicking on a listing, potentially executing attacks on visitors’ computers or infecting them with malware.
The researcher also confirmed a Business Insider Report that the DigiTech site leaked ID numbers and other private data that early legitimate users may have provided.
This vulnerability was a simple enumeration flaw that allowed any logged-in user to see the personal details of other users.
Registration being free, anyone could access this information if they wished.
DigiTech’s site has since been locked down and cleaned up. It is no longer possible to register and existing user accounts appear to have been deactivated.
MyBroadband has contacted the Department of Communications and Digital Technology for comment, but has not responded at press time.