GovPayNet voucher system exists a security flaw, 14 million transaction records are exposed

GovPayNet is a privately held company based in Indianapolis, USA, providing online payment services to more than 2,300 US government agencies in 35 states. According to the latest information, approximately 14 million records containing receipt information have been leaked since 2012. According to security researcher Briankrebs‏, the company’s website, GovPayNow.com, allows anyone to access receipt data, including fines imposed by the court, bail, and traffic fines.

Exclusive: GovPayNow/Net.com — used by 2,300 govt agencies in 35 states to let people pay bail, fines and traffic tickets — exposed >14M customer records, including name, address, phone and last 4 of credit card going back at least six years https://t.co/X9GvUSENVA pic.twitter.com/6yp5chtLFX

— briankrebs (@briankrebs) September 17, 2018

After the US user completes the payment process, the GovPayNow.com website will issue a digital receipt confirming the payment, and the user can easily access the receipt information of other users by modifying the different IDs. In Krebs’ actual demonstration, you can easily access any credentials in the GovPayNet payment system by simply modifying the ID number in the receipt URL, including the full name of the receipt owner, the address of the residence, the mobile number, and the card used by the exchange. Four digits.

After discovering the security issue, the researchers sent an alert to GovPayNet about the issue and received a response two days later confirming that the “potential problem” he found was resolved. “There is currently no indication that a hacker has used any information that was improperly accessed to harm any customer. The receipt does not contain information that can be used to initiate a financial transaction.”