News
IT expert warns of major security hole in DIE’s ETA visa page
View(s):- Says no foreigner would want to visit Sri Lanka if they became aware that their passport details could easily be accessed by hackers
An Australia-based IT engineer has identified a security hole in the Department of Immigration and Emigration’s (DIE) electronic travel authorisation (ETA) visa page, which allows the mere entry of a confirmation code—with no additional layer of protection—to access information such as passport numbers, full names, nationality and dates of birth.
“In that link, only the confirmation code needs to be entered to see the application status,” says Vasantha Saparamadu, who retired as a senior systems engineer from Macquarie University, Sydney. “When I enter my code, it gives me a link to download my application status, which includes full name, passport number, nationality, and date of birth.”
“This means that anyone with knowledge of the format of the confirmation code can automate the check with a large number of computer-generated confirmation codes, and get access to tourists’ data.”
“Most importantly, it is very bad when an innocent person mistakenly types, say, ‘7’ instead of ‘6’ as the last digit of their reference number, for example, and then receives someone else’s passport information,” Mr. Saparamadu told the Sunday Times. “This alone is enough for me to argue that this is a very badly designed system which needs to be changed immediately.”
In October last year, these concerns were brought to the attention of Hans Wijayasuriya, Chief Advisor to the President of Sri Lanka on Digital Economy and, in turn, the Information Communication Technology Agency of Sri Lanka (ICTA) and the Sri Lanka Computer Emergency Readiness Team (SLCERT), the Sunday Times reliably learns. However, no feedback was received and the security issue remains, many months after it was highlighted.
“Fixing this is an easy technical task,” Mr. Saparamadu said. “The fundamental problem here is that the page requires
only the confirmation code. A proper application should require one to enter the confirmation code and the passport number, which would eliminate this security hole.”
The problem is even worse, he continued: “I just tried to see what happens if I just deduct 1 from the last digit on my confirmation code, and enter it in the page. It gave me a link to download another tourist’s data. (Of course, I didn’t download it. Then I tried deducting two from my number. It gave me yet another tourist’s data. (I didn’t download it). This makes a hacker’s job much easier. Confirmation codes should never be consecutive numbers!”
An official from SLCERT told the Sunday Times that the matter had been raised with the DIE. The Department is aware of the privacy issue, internal sources said, requesting anonymity. However, as the Supreme Court (SC) is still reviewing fundamental rights petitions challenging the outsourcing of the electronic visa (e-visa) system to private companies—with hearings still going on—the DIE has sought the advice of the Attorney General’s Department before making any changes.
SLTMobitel handles the DIE system’s front-end and could fix the problem, the sources said. It doesn’t involve changing the ETA process. However, the Department is eager to get the SC’s clearance before taking any action, especially since former Controller General of Immigration and Emigration Harsha Ilukpitiya was convicted of contempt of court. The AG’s Department hasn’t yet filed a motion to the court to seek consent.
Hackers gaining access to passport details is a severe problem for the passport owners as it leads to identity theft and other problems, Mr. Saparamadu said. “No foreigner would want to visit Sri Lanka if they became aware of the fact that their passport details could easily be accessed by hackers through the visa application website of the Sri Lanka Government. Foreign countries may even advise their citizens against applying for a visa to visit Sri Lanka.
That would cause severe reputational and financial loss to
Sri Lanka, he warned.
The best way to say that you found the home of your dreams is by finding it on Hitad.lk. We have listings for apartments for sale or rent in Sri Lanka, no matter what locale you're looking for! Whether you live in Colombo, Galle, Kandy, Matara, Jaffna and more - we've got them all!