Loophole in VEP website exposes data of Singapore motorists

Loophole in VEP website exposes data of Singapore motorists

Transport ministry plugs security breach after being alerted by Singapore newspaper.

The Malaysian transport ministry’s vehicle entry permit website at: https://vep.jpj.gov.my/#/ .
PETALING JAYA:
The transport ministry has stepped in to plug disclosure of personal information of motorists applying for the vehicle entry permit (VEP), which comes into effect on Oct 1 at the Singapore Causeway and Second Link.

The republic’s The Straits Times had first reported on the loophole in the online system that enabled personal information of foreign motorists to be seen on the site yesterday.

It reported today that the Malaysian transport ministry took steps to close the loophole yesterday.

The daily said the ministry, however, did not explain how sensitive information like a driver’s identity card number, address, contact numbers, passport details and chassis information could be seen on the website by simply making an alteration to the site’s URL.

“Data security is a matter that we take seriously. It is of utmost importance to us and we are treating it with great urgency,” the ministry said in a statement.

“The VEP portal deploys a ‘same-origin policy’ where it only allows scripts on a first Web page to access data on the second Web page, and only if both are of the same origin. This policy prevents any malicious attempts to obtain access to sensitive data.”

The newspaper said the loophole was discovered by a Singaporean driver who cut and pasted the website’s URL and sent it to his nephew yesterday morning to help him register for his VEP.

The nephew opened the page and found himself staring at his uncle’s details and not his.

The driver, an information technology specialist, made some changes to the URL that showed his VEP account and was able to see sensitive information of other motorists in a matter of seconds.

The Straits Times then alerted the Malaysian authorities to the data loophole yesterday and access to the website was blocked at 5pm, with a message that maintenance was ongoing.

The ministry said the VEP was again accessible today after the loophole had been plugged.

Once the owner has registered, he will receive an e-mail notification to schedule an appointment for the installation of the VEP-RFID (radio-frequency identification) tag.

The VEP for each registered motor vehicle is valid for a period of five years.

Malaysia already has an existing RM20 (S$6.60) road charge for foreign vehicles entering through Johor. It is separate from the VEP and chargeable each time the vehicle enters the country.

Singapore also charges a S$35 VEP fee per day for every day after the first 10 days in the republic.

Stay current - Follow FMT on WhatsApp, Google news and Telegram

Subscribe to our newsletter and get news delivered to your mailbox.