Entertainment Earth

Netizen Voices Concern Over How Easy it is to Tamper Your SSS Account

Going around online today is a post shared by Mr. Brian Baquiran over the security implementations they have for the SSS or Social Security System, particularly how easy you could get an account with some common information.

Here’s what he wrote on his Facebook account (take note this was copy-pasted on this post). He also provided screenshots to make it understandable.

Trying to change my password on the SSS website this morning, I discovered that the site:
1. allows anyone that knows your full name, birthdate and SSS number (basically anyone with access to employee records) to create an online account, which can then be used to avail of your benefits (actually I knew this before pa…)
2. stores your passwords in plaintext, so if you use the same password on other sites, you’re fucked

3. stores a history of your passwords, so if you use ANY of those old passwords on other sites, you’re fucked.
4. does not allow “special characters” in the passwords, but validation is done in Javascript, client-side. It would be trivial to bypass the JS validation and  insert a password like x’); DROP TABLE salary_loans;

5. to view member information (contribution, loan status, etc.) you have to disable security settings and allow execution of insecure scripts/content
6. sends out your password via unencrypted email if you ever change your password. Anyone with access to the mailservers your email went through could read it and gain access to your account.

Our assessment, its scarier than we thought. The digital age makes it so easy for people to assume other identities and acquiring an SSS number and subsequently an SSS ID.
This ID in itself is a pretty HUGE thing. I mean having this ID will be a gateway to acquiring IDs including a password. Banks and other business will require and SSS number and its there, totally unprotected and can be freely tampered with.

If you have additional info or any corrections, leave a comment below or contact us.

Credits again to Brian Baquiran for this.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *