The Public Transport Victoria “Hack”

Several days ago Fairfax published an article about Joshua Rogers – a 16-year-old self-described “white hat hacker” – and his alleged discovery of a security flaw on the Public Transport Victoria servers:

Schoolboy hacks Public Transport Victoria website

Personal information about public transport users in Victoria has been exposed to potential identity theft because government authority Public Transport Victoria failed to secure its website.

The security flaw in the PTV website was discovered by schoolboy Joshua Rogers, 16, who used a simple hacking technique to unearth a database containing the personal records of customers of the former Metlink online store.

If you ignore the misleading headline and ill-informed comments from those not familiar with aspects of IT security matters, there are two camps: those who think Rogers did the wrong thing, and those who believe that the PTV are completely at fault. After a few days of thought I’m sitting somewhere in the middle.

The original Fairfax article doesn’t go into a lot of detail on the matter. It does describe that a database was accessed, along with the type of information that was contained within. What it doesn’t do is discuss how that database was accessed or the nature of the security flaw (I have a few ideas myself, but I won’t go into them). The article doesn’t give a great amount of technical detail, and no disrespect to Adam Carey, but he’s a transport reporter, not an IT reporter.

A later article published on TechGeek says that Rogers stumbled across a potential vulnerability, and tested the waters to see what he could uncover. It turns out he got lucky.

Before they go pointing fingers at teenagers, PTV should be having questions asked of them. Why was a database with personal information of over 600,000 customers so easily accessible? If this particular flaw was easy enough for a teenager to uncover, what other weaknesses exist on their servers? Let’s keep in mind that Myki has now been absorbed into PTV, and there’s no doubt a hell of a lot more than 600,000 Myki users out there. I do know that Myki contracted a number of off-shore programmers to code parts of their website, most of which had no prior experience working on large scale projects.

Personally, I don’t think Rogers set out to act nefariously. He just had the know-how to interpret the error message thrown at him and ran with that. However, depending on how this pans out, that may be his downfall. But would PTV respond to an email that said “Hey guys, I think you have a problem…”? Probably not, and if they did, it wouldn’t be in a timely manner. What’s the other option here? Say nothing and leave a door open for someone else to exploit?

That said, good intentions or not, Rogers probably took it too far, which is why it’s become such a shitstorm. Regardless of that, as the authority responsible for holding and ultimately protecting personal data, I put more weight on the shoulders of PTV than anyone else, and referring the matter to police straight out says to me that they’re more worried about damage control and deflecting blame than actually employing proper security measures.

The final word goes to Phil Kernick, a security consultant quoted by Fairfax:

“[Rogers] wasn’t authorised by Public Transport Victoria to do this testing, but he didn’t make the data of all of the users of PTV available, they did,” Mr Kernick said.

“Everyone is being attacked all the time, so if your website is not going to survive this level of attack you’re going to get owned.”

One thought on “The Public Transport Victoria “Hack””

  1. Probably Joshua’s biggest mistake was only allowing PTV two weeks to respond. (given article preparation time, Joshua probably only gave PTV a week to respond. But let’s be generous and say two)

    These two weeks are traditionally during a quiet in IT. I’d be surprised if there were many people on deck who could respond.
    If PTV saw the Boxing Day email in a timely fashion. If they understood what Joshua was saying …

    Two groups at fault here. PTV for failing to decommission a public facing database server. And Joshua for a) going to far in his exploit, and b) not giving PTV sufficient time to rectify the problem.

Leave a Reply