14 Million Records Exposed by GovPayNet Through Unprotected Receipt System

Indianapolis-based GovPayNet, a private company which provides online payment services to more than 2,300 US government agencies across 35 states, leaked around 14 million records containing receipt data since 2012.

As reported by security researcher Brian Krebs, the company's website GovPayNow.com allowed anyone to access receipt data for anything from traffic citations to court-ordered fines and bail payments.

This was possible because after the payments were processed, GovPayNow.com was issuing a digital receipt to confirm the payment and displayed it within the website, with no extra security measures in place beside a different ID added to the page URL for every generated receipt.

Krebs was able to access receipt data for any customer that ever used GovPayNet's payment system by simply changing the digits in the receipt IDs, and thus being able to view full names.

No comments:

Post a Comment