The National Water Supply and Drainage Board’s revamped online portal may have some security vulnerabilities that could comprise user data. First pointed out by @ishanul on Twitter, the NWSDB Online platform’s APIs are open in a way that would allow malicious actors to extract sensitive user data with ease.
The vulnerability could potentially expose data such as email addresses, mobile numbers, and passwords. What’s more alarming is that the passwords on the NWSDB Online platform are seemingly stored in plaintext. Unfortunately, this doesn’t seem to be a new problem as NWSDB consumers have complained about the vulnerability since at least 2020. Early reviews for the NWSDB Selfcare app point out that the software’s forgot password feature would send an SMS of a user’s username and password in plaintext.
Unfortunately, this issue around easily extractable passwords extends even further. This potentially opens up the possibility of gaining access to a consumer’s other accounts, especially considering that many people use the same password for other online systems.
ReadMe reached out to the Water Board as well as the Minister of Water Supply & Estate Infrastructure Jeevan Thondaman regarding the issue, though neither party has commented on the concerns raised. However, the new online portal now appears to be inaccessible and has reverted to the old system. Either way, it remains to be seen how the issue is being addressed.
The Water Board wants to be more digital
The National Water Supply and Drainage Board’s updated online system comes amid an effort to bring in more e-government services across a variety of public sectors. Last year, the Sri Lankan government kicked off renewed efforts to digitalize government services in nine state institutions as a condition of the International Monetary Fund’s $3 billion loan.
The lack of properly equipped digital government services has become a notable problem in recent years, particularly in the backdrop of the 2022 economic crisis. The situation prompted state institutions like the NWSDB to push for a digital billing mechanism, specifically e-billing, SMS billing, and a mobile printer service. By October 2023, the Water Board launched its SMS billing system via Colombo South, Kandy South, Polonnaruwa, and Trincomalee areas.
Incidentally during the same month, the Water Board also announced that it would be further digitizing its services with the support of the Japan International Co-operation Agency (JICA). The joint effort would see the Water Board adopt an electronic document management system developed by Cyclomax, a Kurunegala-based software company. However, with concerns over data security continuing to impact the reliability of the services, it will be interesting to see how NWSDB plans to handle the situation moving forward.
The nagging security problem
Unfortunately, glaring security vulnerabilities aren’t new to e-government ventures. From routinely coming under cyber-attacks to operating without even an SSL certificate, Sri Lankan government websites are notorious when it comes to security. Now, as more state institutions attempt to digitalize their swath of services, the need for better cyber security practices at the state level deserves precedence. After all, consumers have already seen how problematic security incidents can be in a Lankan context
It’s worth mentioning that some efforts are already underway in this regard. The State Minister of Technology Kanaka Herath recently announced that the National Cyber Security Act is to be implemented in 2024. This would include the establishment of the Cyber Security Authority. Time will tell how the act’s implementation pans out. Either way, if the Water Board’s issue is anything to go by, cybersecurity practices around the Lankan e-government are still a few steps behind at the fundamental level.
GIPHY App Key not set. Please check settings