For the second time in as many days, an official website used by foreigners in Thailand has purportedly suffered a data breach.

 

On Wednesday, blogger Richard Barrow tweeted that the website used by foreigners to book appointments at Bangkok Immigration had been exposing the personal data of users.

 

The data leaked included names, addresses, date of birth, passport numbers and visa numbers.

 

 

The Immigration data breach is NOT a hack. All you have to do is change certain characters in the URL of your completed booking form to see data for other people. I am sure a high school student could write a simple script to mine all of this data going back years [2/3] #Thailand pic.twitter.com/r1xZXVBm5n

— Richard Barrow (@RichardBarrow) June 16, 2021

 

Richard explained that the personal information of other users could be accessed if a user changed certain characters in the URL of their completed booking form.

 

Richard intimated that the data breach could have been going on for years.

 

The issue affecting the Bangkok Immigration website is remarkably similar to the issue discovered on the Thailand Intervac website on Tuesday.

 

The Intervac website, which has been created by Thailand’s Ministry of Public Health to enable foreigners to register to receive the COVID-19 vaccination, was also found to be leaking personal information of people who had registered on the website.

 

The personal data on the Intervac website also could be accessed publicly by changing a few characters in the URL.

 

On Tuesday, the Thai government released a statement to explain the issue on the Intervac website had been resolved after being caused by a “temporary glitch” and was now working again.

 

-- © Copyright Thai Visa News 2021-06-16

 

- Whatever you're going through, the Samaritans are here for you

- Follow Thaivisa on LINE for breaking COVID-19 updates

welcome to thailand 0.4.

do expect local mafia figures to check on your home safe, while you pop to shops.

you passport data used by terrorists (they might even take it with safe).

some spam sms and email messages with offers of real estate close to your home or some bitcoin offers (did happen to me shortly after registering for vax, but never ever before that)

bizpotential.com

 

Good job.

 

Clownage.

 

 

6 minutes ago, snoop1130 said:

Richard intimated that the data breach could have been going on for years.

But is this really a surprise?

Too much of a coincidence perhaps ?

Clap one hand if you are shocked and surprised by this.

I'm sure the pm will step up and accept responsibility.

 

Immigration is part of the RTP, and they report directly to the pm.

 

 

Let me guess, the developer was updating the system... ? 

As long as it's not Kasikorn Bank's website I'm good.

Hacks sake .. this is getting more than a little inconvenient now .. 

Unable to run a bath comes to mind ..

this will require some more "thaisplaining"

 

let's see...

"it's a service provided for foreigners"

"we were updating the system"

"it was for less than 5 minutes"

 

Quote

On Tuesday, the Thai government released a statement to explain the issue on the Intervac website had been resolved after being caused by a “temporary glitch” and was now working again.

 

obviously, this is not the case, as it's not possible to register or login.

Mighty strange, this morning i had an SMS saying i owed money, in thai but they had my email and phone, strange indeed.

Could someone tell me what characters in which URL Richard changed?

Nothing new. They have been doing it for years with the photocopies of application forms on the back of other peoples passport and other document copies.

I've had several SMS offering insurance for Covid since I registered with thailandintervac and on Mor Prom. They're all in Thai, so I'm guessing it's Mor Prom. I'd better get along to Dtac and have them all blocked.

Somewhere over the rainbow pigs are flying and laughing as well as the folks who have now compiled enough data to create fake passports with all of a persons biometric data.  You would not ever believe that a Government database, that holds millions of folks personal data including those of migrant workers, and expats, could be so easily accessed.  Unreal....

Just now, ThailandRyan said:

Somewhere over the rainbow pigs are flying and laughing as well as the folks who have now compiled enough data to create fake passports with all of a persons biometric data.  You would not ever believe that a Government database, that holds millions of folks personal data including those of migrant workers, and expats, could be so easily accessed.  Unreal....

I would believe anything is possible when tin pot soldiers run a country for it's own ends.

Thailand, hub of self hack?

Apinya the Programmer 

I think Mr Barrow is pushing his luck with publicising these data breaches. Gaining unauthorised access to any system and its data is, by definition, HACKING. Whether he used website parameter hacking, CSS, CSRF, or SQL injection is irrelevant. He has gained unauthorised access to the database, retrieved data and published the fact. Had Mr Barrow had legal permission to perform the hack (as an Ethical Hacker) the correct course of action should have been to inform the owner of the website/database of the breach so that they could take immediate remedial action.

These people have no idea how to develop code.  They are literally back in the 1990s in their web development practices.
I jokingly said awhile back that contracts to produce Thai government websites like this one are given to some big-wigs kid or nephew in university.  Now I'm betting I'm not far off.  No date security at all.

A post using a trolling image has been removed. 

2 minutes ago, Phuketshrew said:

Gaining unauthorised access to any system and its data is, by definition, HACKING.

Nonsense, he did not gain unauthorised access to any system it was there for all to see. 

 

You obviously have no idea what you are talking about.

15 minutes ago, JamieM said:

Nonsense, he did not gain unauthorised access to any system it was there for all to see. 

and where do you think the data was retrieved from? thin air?

1 minute ago, Phuketshrew said:

and where do you think the data was retrieved from? thin air?

If it is visible on the clearnet it is not hacking.

For that shoddy appointment website, they couldn't even be bothered to set up a domain and SSL. That's obviously never a good sign, so it's not surprising that there are other issues as well.

16 minutes ago, JamieM said:

19 minutes ago, Phuketshrew said:

and where do you think the data was retrieved from? thin air?

If it is visible on the clearnet it is not hacking.

My understanding is that he directly tampered with web URL parameters as he stated "all you have to do is change certain characters in the URL". I assumed that he changed the userID to show retrieve and show details of other users. Maybe you have more experience than me. I would be interested to know how do you think he did it?

6 minutes ago, Phuketshrew said:

My understanding is that he directly tampered with web URL parameters as he stated "all you have to do is change certain characters in the URL". I assumed that he changed the userID to show retrieve and show details of other users. Maybe you have more experience than me. I would be interested to know how do you think he did it?

Well if that were the case and it were simply a case of changing a digit at the end of a url, imagine how many people do that everyday by accident while navigating the web? by your way of thinking they would all be hacking and breaking the law and there would be no more space in jails worldwide.

 

Mr Burrow is no fool and is fully aware that they want rid of him, do you really think he would post before checking the legality of the data breach before posting?

 

In my opinion he did the right thing drawing attention to the situation before others posted information for anyone to see.

Yes, it is possible to change a userID in a URL (which should not be displayed anyway) and retrieve another users data. I've done it under controlled conditions. But only if the developer has neglected security considerations and validation routines when the web site was created, which is the point that Mr Barrow was trying to make. Of course, most web developers worth their salt would never allow this to happen so there are still some places free in the world's jails.

 

My original point was that if he did this then it would be legally defined as hacking i.e. gaining unauthorised access to a system or data.

12 minutes ago, Phuketshrew said:

My original point was that if he did this then it would be legally defined as hacking i.e. gaining unauthorised access to a system or data.

Yeh but it's not though:

 

1. The data was not restricted.

 

2. You are assuming whoever found the data breach, knowingly accessed the data.