Plaintext Shame List Malaysia - KPDNHEP

Posted 13 June 2020. 1 min read.

KPDNHEP, short for Kementerian Perdagangan Dalam Negeri dan Hal Ehwal Pengguna is a ministry responsible in promoting the development of a viable, competitive and sustainable domestic economy, specifically in the Distributive Trade Sector

KPDNHEP operates a system, eAduan 2.0 of which its primary function is to enable consumers in Malaysia to file consumer complaints online. Other functions include the ability to view and manage past complaints and file an integrity complaint. Naturally, these functions require that the user register and login on the website.

Upon registration, the website sends you an email that conveniently displays your login details, including the password, in plaintext.

Registration email showing IC or passport, and password in plain text

The website is powered by Laravel, which, by default does not send this email by default. Thus, this was an explicit decision, that upon registration, the password would be sent in plaintext by email to the user.

Fortunately, I don't think the password itself is stored in the database in plaintext. This is supported by the fact that the website's password reset function actually sends a link to the user to change their password, and it seems to use Laravel's default password reset implementation:

Password reset email image

Password reset UI image

Regardless, while the password may be hashed using bcrypt, sending the password in email is a bad idea.

# plaintext # password # uitm # breach # security

Lazily updated content can be found here