Two Ballito-schooled brothers have uncovered serious security vulnerabilities on the National Student Financial Aid Scheme (NSFAS) website, potentially exposing the private information and funding of millions of students.

The North Coast Courier reports that Connor Bettridge (21), a third-year computer science student, and his brother Jordan (23), a software developer, were helping a friend apply for NSFAS funding in mid-November when they noticed something was wrong.

On the main NSFAS website, used by millions of applicants, the brothers discovered that around 72 million private email and SMS communications between NSFAS and applicants were publicly accessible. The data dated back to 2022.

“This was visible directly in the browser and required no special tools,” said Jordan, who grew up in Ballito and matriculated from Crawford North Coast, but is now based in Cape Town.
“Using basic developer tools available in the browser, sensitive information such as ID numbers, income details, ethnicity, home addresses, application data and disability status was easily accessible.”

Administrative access exposed

After further investigation, Jordan uncovered even more concerning flaws.

“I retrieved the front-end JavaScript code from the website and, after deobfuscating it, discovered API endpoints that exposed administrative access,” he said.

In simple terms, weak security protocols meant that someone with sufficient technical knowledge could potentially gain access normally reserved for NSFAS administrators. This could allow a malicious user to view application documents, approve or reject applications, and even modify banking details for fund transfers. The data could also be exploited for phishing scams or sold illegally.

Ethical hacking concerns

Concerned about the legal implications, Jordan chose not to probe any further.

“South Africa does not have ‘safe harbour’ protections for ethical hackers, so I did not want to cross into a grey area, even though I was trying to help,” he said.

The brothers attempted to report the issue through NSFAS’s call centre but were unsuccessful. They later contacted a journalist from MyBroadband, who was able to reach the relevant people.

NSFAS response

NSFAS has since resolved the main security issues and published a notice acknowledging the vulnerabilities identified by the Bettridge brothers. The organisation confirmed that security improvements have been implemented.

“At this stage, there is no indication of an ongoing system compromise. NSFAS continues to strengthen its cybersecurity environment to protect the personal information of students and stakeholders,” the statement read.

Breaking news at your fingertips… Follow Caxton Network News on Facebook and join our WhatsApp channel.

Nuus wat saakmaak. Volg Caxton Netwerk-nuus op Facebook en sluit aan by ons WhatsApp-kanaal.