On the 17th of May 2013 a group of hackers called DomainerAnon took responsibility for the hack of the South African Police Services (SAPS) website. DomainerAnon also claim an affiliation with the popular hacking group Anonymous.
In 2012 a member of the group had already tweeted about the fact that he believed the South African Police web applications and servers were vulnerable to an attack, like many other South African government websites. Back then he did not have any motives to attack them but after the Marikana massacre incident, where several striking miners where shot by the police, DomainerAnon retaliated and hacked the South African Police Services website.
The South African police website hosts an ASP web application called Crime Stop. The generic public can use Crime Stop to report criminal activity by submitting details through an online form. At the time of writing of this article, the ASP web application is still offline.
DomainerAnon exploited a simple SQL injection and retrieved sensitive data from the Oracle backend database. The database dump which included names, phone numbers, email addresses and ID numbers of people who submitted crime reports was uploaded online on a public website.
The 15,700 individuals, who used the website from 2005 and thought they had been providing information to the police anonymously and securely, now have their names known to everyone who managed to get his hands on the data dumps.
Included in the database dump were also the reports which range from rape cases to police brutality and beating. David Viaene posted a few censored examples on his blog. In the database dump there were also usernames and passwords of around 40 South African Police Service personnel. Currently the database dump is no longer available to the public.
The South African police initially denied the hack attack until a reporter from a leading South African TV news channel called eNCA contacted people whose name and contact details were found in the database dump. The official eNCA report can be found here.
From the technical point of view, this hacking attack seems to be very typical one were sensitive information is disclosed to the public as part of a whistle blowing act. But in this case the whistle blowers themselves are the victims. What is worrying is that every reported person who stands accused of a crime can now find the information of who reported him or her. As a matter of fact several victims of this SAPS hack attack are very concerned about their safety.
Hacktivism, i.e. hacking to promote political believes is on the increase and people’s lives are being affected by it. Every website and web application owner should take responsibility and ensure that the data of everyone using his or her web applications is secure.
There is no magic formula one can use to secure web applications. Frequent scans with a web application security scanner will definitely save the day. In this particular case, if the South African Police Services used Netsparker to scan their web application they would have discovered the SQL injection vulnerability and avoided all this kerfuffle.