Popular Post snoop1130 Posted June 16, 2021 Popular Post Share Posted June 16, 2021 For the second time in as many days, an official website used by foreigners in Thailand has purportedly suffered a data breach. On Wednesday, blogger Richard Barrow tweeted that the website used by foreigners to book appointments at Bangkok Immigration had been exposing the personal data of users. The data leaked included names, addresses, date of birth, passport numbers and visa numbers. The Immigration data breach is NOT a hack. All you have to do is change certain characters in the URL of your completed booking form to see data for other people. I am sure a high school student could write a simple script to mine all of this data going back years [2/3] #Thailand pic.twitter.com/r1xZXVBm5n — Richard Barrow (@RichardBarrow) June 16, 2021 Richard explained that the personal information of other users could be accessed if a user changed certain characters in the URL of their completed booking form. Richard intimated that the data breach could have been going on for years. The issue affecting the Bangkok Immigration website is remarkably similar to the issue discovered on the Thailand Intervac website on Tuesday. The Intervac website, which has been created by Thailand’s Ministry of Public Health to enable foreigners to register to receive the COVID-19 vaccination, was also found to be leaking personal information of people who had registered on the website. The personal data on the Intervac website also could be accessed publicly by changing a few characters in the URL. On Tuesday, the Thai government released a statement to explain the issue on the Intervac website had been resolved after being caused by a “temporary glitch” and was now working again. -- © Copyright Thai Visa News 2021-06-16 - Whatever you're going through, the Samaritans are here for you - Follow Thaivisa on LINE for breaking COVID-19 updates 1 1 33 Link to comment Share on other sites More sharing options...
Popular Post internationalism Posted June 16, 2021 Popular Post Share Posted June 16, 2021 (edited) welcome to thailand 0.4. do expect local mafia figures to check on your home safe, while you pop to shops. you passport data used by terrorists (they might even take it with safe). some spam sms and email messages with offers of real estate close to your home or some bitcoin offers (did happen to me shortly after registering for vax, but never ever before that) Edited June 16, 2021 by internationalism 15 8 Link to comment Share on other sites More sharing options...
Popular Post mtls2005 Posted June 16, 2021 Popular Post Share Posted June 16, 2021 bizpotential.com Good job. Clownage. 3 Link to comment Share on other sites More sharing options...
Popular Post J Town Posted June 16, 2021 Popular Post Share Posted June 16, 2021 6 minutes ago, snoop1130 said: Richard intimated that the data breach could have been going on for years. But is this really a surprise? 10 Link to comment Share on other sites More sharing options...
Popular Post Excel Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Too much of a coincidence perhaps ? 4 Link to comment Share on other sites More sharing options...
Popular Post bino Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Clap one hand if you are shocked and surprised by this. 4 11 Link to comment Share on other sites More sharing options...
Popular Post mtls2005 Posted June 16, 2021 Popular Post Share Posted June 16, 2021 I'm sure the pm will step up and accept responsibility. Immigration is part of the RTP, and they report directly to the pm. 6 2 Link to comment Share on other sites More sharing options...
Popular Post RotBenz8888 Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Let me guess, the developer was updating the system... ? 1 7 Link to comment Share on other sites More sharing options...
Popular Post Pattaya Spotter Posted June 16, 2021 Popular Post Share Posted June 16, 2021 As long as it's not Kasikorn Bank's website I'm good. 3 6 Link to comment Share on other sites More sharing options...
Popular Post Justgrazing Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Hacks sake .. this is getting more than a little inconvenient now .. Unable to run a bath comes to mind .. 1 2 6 Link to comment Share on other sites More sharing options...
Popular Post tgw Posted June 16, 2021 Popular Post Share Posted June 16, 2021 (edited) this will require some more "thaisplaining" let's see... "it's a service provided for foreigners" "we were updating the system" "it was for less than 5 minutes" Quote On Tuesday, the Thai government released a statement to explain the issue on the Intervac website had been resolved after being caused by a “temporary glitch” and was now working again. obviously, this is not the case, as it's not possible to register or login. Edited June 16, 2021 by tgw 4 2 Link to comment Share on other sites More sharing options...
Popular Post Almer Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Mighty strange, this morning i had an SMS saying i owed money, in thai but they had my email and phone, strange indeed. 1 4 Link to comment Share on other sites More sharing options...
Popular Post EricTh Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Could someone tell me what characters in which URL Richard changed? 1 3 Link to comment Share on other sites More sharing options...
Popular Post phetphet Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Nothing new. They have been doing it for years with the photocopies of application forms on the back of other peoples passport and other document copies. 17 1 6 Link to comment Share on other sites More sharing options...
Popular Post samtam Posted June 16, 2021 Popular Post Share Posted June 16, 2021 I've had several SMS offering insurance for Covid since I registered with thailandintervac and on Mor Prom. They're all in Thai, so I'm guessing it's Mor Prom. I'd better get along to Dtac and have them all blocked. 4 Link to comment Share on other sites More sharing options...
Popular Post ThailandRyan Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Somewhere over the rainbow pigs are flying and laughing as well as the folks who have now compiled enough data to create fake passports with all of a persons biometric data. You would not ever believe that a Government database, that holds millions of folks personal data including those of migrant workers, and expats, could be so easily accessed. Unreal.... 9 1 1 5 Link to comment Share on other sites More sharing options...
Popular Post Excel Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Just now, ThailandRyan said: Somewhere over the rainbow pigs are flying and laughing as well as the folks who have now compiled enough data to create fake passports with all of a persons biometric data. You would not ever believe that a Government database, that holds millions of folks personal data including those of migrant workers, and expats, could be so easily accessed. Unreal.... I would believe anything is possible when tin pot soldiers run a country for it's own ends. 9 4 Link to comment Share on other sites More sharing options...
Popular Post BKKTRAVELER Posted June 16, 2021 Popular Post Share Posted June 16, 2021 Thailand, hub of self hack? 3 Link to comment Share on other sites More sharing options...
Pravda Posted June 16, 2021 Share Posted June 16, 2021 Apinya the Programmer Link to comment Share on other sites More sharing options...
Popular Post Phuketshrew Posted June 16, 2021 Popular Post Share Posted June 16, 2021 I think Mr Barrow is pushing his luck with publicising these data breaches. Gaining unauthorised access to any system and its data is, by definition, HACKING. Whether he used website parameter hacking, CSS, CSRF, or SQL injection is irrelevant. He has gained unauthorised access to the database, retrieved data and published the fact. Had Mr Barrow had legal permission to perform the hack (as an Ethical Hacker) the correct course of action should have been to inform the owner of the website/database of the breach so that they could take immediate remedial action. 4 2 1 16 Link to comment Share on other sites More sharing options...
Popular Post connda Posted June 16, 2021 Popular Post Share Posted June 16, 2021 These people have no idea how to develop code. They are literally back in the 1990s in their web development practices. I jokingly said awhile back that contracts to produce Thai government websites like this one are given to some big-wigs kid or nephew in university. Now I'm betting I'm not far off. No date security at all. 13 Link to comment Share on other sites More sharing options...
metisdead Posted June 16, 2021 Share Posted June 16, 2021 A post using a trolling image has been removed. Link to comment Share on other sites More sharing options...
Popular Post JamieM Posted June 16, 2021 Popular Post Share Posted June 16, 2021 2 minutes ago, Phuketshrew said: Gaining unauthorised access to any system and its data is, by definition, HACKING. Nonsense, he did not gain unauthorised access to any system it was there for all to see. You obviously have no idea what you are talking about. 15 1 1 2 Link to comment Share on other sites More sharing options...
Phuketshrew Posted June 16, 2021 Share Posted June 16, 2021 15 minutes ago, JamieM said: Nonsense, he did not gain unauthorised access to any system it was there for all to see. and where do you think the data was retrieved from? thin air? 2 4 Link to comment Share on other sites More sharing options...
Popular Post JamieM Posted June 16, 2021 Popular Post Share Posted June 16, 2021 1 minute ago, Phuketshrew said: and where do you think the data was retrieved from? thin air? If it is visible on the clearnet it is not hacking. 7 3 Link to comment Share on other sites More sharing options...
Popular Post Caldera Posted June 16, 2021 Popular Post Share Posted June 16, 2021 For that shoddy appointment website, they couldn't even be bothered to set up a domain and SSL. That's obviously never a good sign, so it's not surprising that there are other issues as well. 3 Link to comment Share on other sites More sharing options...
Popular Post Phuketshrew Posted June 16, 2021 Popular Post Share Posted June 16, 2021 16 minutes ago, JamieM said: 19 minutes ago, Phuketshrew said: and where do you think the data was retrieved from? thin air? If it is visible on the clearnet it is not hacking. My understanding is that he directly tampered with web URL parameters as he stated "all you have to do is change certain characters in the URL". I assumed that he changed the userID to show retrieve and show details of other users. Maybe you have more experience than me. I would be interested to know how do you think he did it? 1 3 Link to comment Share on other sites More sharing options...
Popular Post JamieM Posted June 16, 2021 Popular Post Share Posted June 16, 2021 6 minutes ago, Phuketshrew said: My understanding is that he directly tampered with web URL parameters as he stated "all you have to do is change certain characters in the URL". I assumed that he changed the userID to show retrieve and show details of other users. Maybe you have more experience than me. I would be interested to know how do you think he did it? Well if that were the case and it were simply a case of changing a digit at the end of a url, imagine how many people do that everyday by accident while navigating the web? by your way of thinking they would all be hacking and breaking the law and there would be no more space in jails worldwide. Mr Burrow is no fool and is fully aware that they want rid of him, do you really think he would post before checking the legality of the data breach before posting? In my opinion he did the right thing drawing attention to the situation before others posted information for anyone to see. 10 2 Link to comment Share on other sites More sharing options...
Phuketshrew Posted June 16, 2021 Share Posted June 16, 2021 Yes, it is possible to change a userID in a URL (which should not be displayed anyway) and retrieve another users data. I've done it under controlled conditions. But only if the developer has neglected security considerations and validation routines when the web site was created, which is the point that Mr Barrow was trying to make. Of course, most web developers worth their salt would never allow this to happen so there are still some places free in the world's jails. My original point was that if he did this then it would be legally defined as hacking i.e. gaining unauthorised access to a system or data. 1 Link to comment Share on other sites More sharing options...
Popular Post JamieM Posted June 16, 2021 Popular Post Share Posted June 16, 2021 12 minutes ago, Phuketshrew said: My original point was that if he did this then it would be legally defined as hacking i.e. gaining unauthorised access to a system or data. Yeh but it's not though: 1. The data was not restricted. 2. You are assuming whoever found the data breach, knowingly accessed the data. 3 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now