Government’s small business Covid-19 assistance website a dangerous mess

Sensitive and private business data of unsuspecting small businesses could have been compromised, with an independent assessment of government’s Covid-19 Debt Relief Fund online application website finding that it was “a hacker’s picnic paradise”.

Not only does the SMMESA.gov.za site, which was launched by the small business development department this week to create a database for distressed businesses, use “outdated software”, but it was extremely vulnerable to hacking, susceptible to cloning, had no security updates and is therefore open for interception.

Lec Marketing, a Cape Town-based web development company, conducted the assessment and found that that if the site was to be hacked, information that the user was inserting into the registration form could easily be intercepted.

The company’s co-founder, Leonie Coetzee, said the intercepted information might not get to the intended recipient and could be redirected.

“This is like someone opening your letter you posted and changing it or even not delivering it,” she said.

The online registration site, which came live on Tuesday, was unveiled by Small Business Minister Khumbudzo Ntshavheni, as a platform to access funding to mitigate the impact of the Covid-19 economic shutdown.

Some of the details which companies were required to share included annual turnover, shareholders, number of employees, employee demographics as well as details on sub-sectors and tax numbers.

The site was unexpectedly taken down earlier today, shortly after questions regarding the concerns raised regarding the compromised security were sent to the department.

Where it previously displayed forms to access the required info, it simply displayed a message saying: “We are performing a critical update and will resume the service shortly. We apologize for the inconvenience, we will be back soon”.

Sarah Mokwebo, Ntshavheni’s spokesperson, did not respond to questions about who developed the site, how much it cost and how many businesses had submitted their online applications.

Coetzee explained that having a Hypertext Transfer Protocol (HTTP) site instead of a Hypertext Transfer Protocol Secure (HTTPS) site meant that a hacker could also easily clone this website, as there was no security certificate.

She said once cloned the hacker would have access to all sensitive information that the user thought they were sending to government and that if someone should hack this site, they would also be able to insert hidden links on the site.

“…therefore when a user clicks on something on the page the page redirects to an advertisement or malicious site. Malicious sites can install malicious content onto users’ devices, computers, tablets or phones. This opens the gate to even more problems,” Coetzee said.

She said malicious content could also be downloaded onto the user’s device, which opened them up to viruses that could corrupt their entire system.

A web developer who did not want to be named said the site did not use Security Sockets Layer (SSL), meaning it was not secure and anyone could intercept the data shared between it and the user.

“The input is also open to anyone with a bit of knowledge to view, which means anyone would be able to access the documents and information people upload and steal their business and personal information. This is basically a child’s school website project and placing every single business owner who tries to use it at risk,” the web developer said.

siphom@citizen.co.za

For more news your way, download The Citizen’s app for iOS and Android.