GovPayNet voucher system exists a security flaw, 14 million transaction records are exposed

GovPayNet is a privately held company based in Indianapolis, USA, providing online payment services to more than 2,300 US government agencies in 35 states. According to the latest information, approximately 14 million records containing receipt information have been leaked since 2012. According to security researcher , the company’s website, GovPayNow.com, allows anyone to access receipt data, including fines imposed by the court, bail, and traffic fines.

After the US user completes the payment process, the GovPayNow.com website will issue a digital receipt confirming the payment, and the user can easily access the receipt information of other users by modifying the different IDs. In Krebs’ actual demonstration, you can easily access any credentials in the GovPayNet payment system by simply modifying the ID number in the receipt URL, including the full name of the receipt owner, the address of the residence, the mobile number, and the card used by the exchange. Four digits.

After discovering the security issue, the researchers sent an alert to GovPayNet about the issue and received a response two days later confirming that the “potential problem” he found was resolved. “There is currently no indication that a hacker has used any information that was improperly accessed to harm any customer. The receipt does not contain information that can be used to initiate a financial transaction.”