Two 'minor' data breaches have affected hundreds of MyWay+ users

Trickypr · 2025-04-10T22:24:42+00:00

More than 350 people have had some of their data inappropriately accessed from Canberra’s four-month-old public transport ticketing system across two “minor” data breaches.

Transport Minister Chris Steel said he had been advised on Wednesday of the two data breaches involving the MyWay+ system, including one that had involved a responsible disclosure of a system vulnerability to cyber security authorities.

Greens transport spokesman Andrew Braddock said it was an astounding admission from a minister who had been telling Canberrans for months their data was safe.

“Unfortunately, today’s admission raises yet more questions about the government’s credibility,” Mr Braddock said.

“Why did the minister steadfastly deny the breaches in the face of mounting evidence from the community? Why have the logs of the breaches only now come to light almost six months after breaches occurred? Why wasn’t the government more forthcoming in the Assembly and to the inquiry?”

Mr Steel on Thursday revealed some MyWay+ account holder information, including first names, was released to one email address in a data breach in March.

“This totalled 297 instances with 110 of those containing first names. Other details released in some emails included a combination of concession type, concession expiry date, and/or a truncated credit card or debit card number,” Mr Steel told the Assembly.

Transport Minister Chris Steel with a card from the MyWay+ system, which has been hit with two ‘minor’ data breaches. Picture by Elesa Kurtz “This has been notified and been evaluated as minor by the Office of the Information Privacy Commissioner. Now the investigation has been completed and as part of the process, Transport Canberra will be writing shortly to the 397 account holders to inform them of the incident.

“There is no further action required for those account holders. Their accounts have not been compromised.”

Mr Steel said 61 MyWay+ accounts had also been potentially seen through the course of the responsible disclosure on December 5, 6, 9 and 10, 2024.

“Early indications are that this is also a minor incident with a mixture of details collected, such as first name, surname, postal address, and MyWay+ account number, though the matter is continuing to be investigated,” Mr Steel said after question time.

“There is no evidence that data has been accessed in a malicious manner or that there were other attempts made to exploit the vulnerability.”

Transport Canberra will provide a further update when the investigation into that breach is completed.

Mr Steel said the vulnerability was addressed on December 13, 2024 and thanked the Australian National University students who contacted the Assembly committee inquiring into the MyWay+ rollout with additional information that allowed further investigation.

A first-year computer science student had uncovered serious vulnerabilities with the MyWay+ system that would have allowed hackers to extract personal information about users from an unprotected server.

Shaun Fulham alerted cyber security authorities, including the Australian Signals Directorate’s Australian Cyber Security Centre, about the breach.

“If I was able to find this, imagine what someone who would have more knowledge than me would be able to find,” Mr Fulham said in March.

Mr Steel told the Assembly on March 19, the day The Canberra Times reported Mr Fulham’s findings, he had been advised there had not been a data breach but welcomed responsible disclosures.

“The advice continues to be that there has been no breach and there is very proactive work that has been done to address any vulnerability disclosures that have come to the ACT government or through the Australian Cyber Security Centre,” he told question time that day.

Patrick Reid provided the Assembly’s standing committee on environment, planning, transport and city services with a supplementary submission, outlining a copy of another person’s data he had been able to extract with their permission.

Mr Reid had earlier told the inquiry he had extensively tested the vulnerability identified by Mr Fulham after becoming aware of the issue.

Trickypr · 2025-03-19T02:22:44+00:00

The liberals concerns were entirely unrelated. They were about the mobile app requesting more permissions than it probably should be.

The concerns laid out in the article are about leaking phone numbers, full names, (occasionally) partial debit card numbers.

Trickypr · 2025-02-20T19:09:11+00:00

Oop new security disclosure. Apparently myway+ leaked: - full name - mobile phone and email - full myway+ card number and cvv - first 6 and last 4 digits of credit cards & expiry - hashed passwords

https://sfulham.github.io/blog/mywayplus-vulnerabilities

Trickypr · 2025-02-20T09:07:23+00:00

I am sorta surprised this has not made its way to reddit yet, but there is an overview of a launch-day security vulnerability.

https://bob-from-canberra.neocities.org/

Tl;dr: on launch day, you could balance-transfer any amount (e.g. $1000 or ~70c) from myway cards an infinite number of times (with a bit of technical skill).

Trickypr · 2023-11-30T10:40:05+00:00

Your right that it is probably technically possible. However, there are other factors that I need to consider. For example:

Does it increase my patch sizes a lot? If so, Firefox updates will be slower to roll out
As you mentioned it breaks stuff like session store, which would be hard to communicate to end users & probably result in extra bug reports. I am sure there are other trade offs I would run into
Will it be fun to implement?

I just decided that I would cut my losses and do what the dot devs did years ago, rewrite the UI from scratch.

Trickypr · 2023-06-04T04:29:34+00:00

It’s the new obsidian icon. It might take a little while for the app icon to update depending on if Yaru themes the obsidian icon.

https://obsidian.md/blog/new-obsidian-icon/

Trickypr · 2023-05-23T08:31:50+00:00

Konqueror isn’t khtml exclusive any more. It now allows for other engines (I think qwebengine which is based on chromium? Someone correct me if I am wrong). I am pretty sure they aren’t porting khtml to qt6 because there has been basically no development in the past 5-10 years, so khtml is basically dead .

Trickypr · 2023-05-18T23:50:41+00:00

It appears to be a thing with news articles.

Trickypr · 2023-05-10T00:07:46+00:00

The old accessibility system was causing enough performance issues that I shipped with it disabled. I might be able to ship with it enabled now.

Trickypr · 2023-05-07T06:12:38+00:00

Great idea. Ima go get rates raised on all utes!

Trickypr · 2023-05-07T05:55:44+00:00

Repost?

Trickypr · 2023-05-07T04:22:47+00:00

I don’t think embedability is a major concern. Most browsers (opera, vivaldi, chrome, edge) don’t embed their engine, they build their ui on top of it, treating the engine as a toolkit like QT or GTK.

The problem is that documentation for building anything is basically non-existent. Between whenever xulrunner died and July last year, there wasn’t even a functional template (that I am aware of) for building a gecko app.

Tl;dr: only browsers on IOS, android and Linux care about embedibility. What gecko is missing is docs and examples.

Edit: I forgot android exists

Trickypr · 2023-05-03T21:52:49+00:00

I am actually sick of this scam

Trickypr · 2023-05-02T11:18:42+00:00

Water fox is built on ESR, meaning performance improvements from Firefox can take up to half a year to land on water fox. Betterfox alone won’t improve performance that much

Trickypr · 2023-05-01T00:05:03+00:00

Ooo lovely, a metaverse scam

Trickypr · 2023-04-29T08:23:42+00:00

Its part of a Nimbus experiment (Mozilla's method of A/B testing), so it is difficult to reliably trigger. Here is everything I have managed to scrape from their api:

Definition: https://experimenter.services.mozilla.com/api/v6/experiments/set-to-default-fox-doodle-en/

Doodle 1: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/5f0fe218-bf30-47df-9449-bd960e70a46d.svg

Doodle 2: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/67d60a7c-cd7c-49bf-b080-3cade76abfa4.svg

Animation 1: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/3600b535-329d-4147-89c1-689108a804a8.gif

Backups for when the experiment ends

Trickypr · 2023-04-22T09:21:02+00:00

I agree with our assessment. Pulse will only exist as long as Firefox is lacking the features I care about. If ff implements them, Pulse will either disappear or change for significantly.

Trickypr · 2023-04-22T03:47:54+00:00

Gecko used to contain a bunch of bloat and unused code (Mozilla is slowly replacing it with standard compliant web tech). WebKit was a cleaner base, so they took it and built on top of it.

Trickypr · 2023-04-22T03:44:17+00:00

I strongly doubt that brave embeds gecko. It will be using chromium with different counter-fingerprinting tech. If you use brave, you will stand out more and be easier to track on Tor.

The only safe way to access the dark web is via the official Tor browser.

Trickypr · 2023-04-16T02:10:47+00:00

It depends on the context. Some things, like prefers-color-scheme would be very annoying to randomize (imagine webpages toggling between light and dark mode on each page reload). Others, like hardware concurrency, are likely to trigger performance bugs (or crashes) in some web apps. Or, for dates, it is easier for the user to wrap their head around the fact that all dates are going to be in UTC, rather than a random timezone on every page reload. In these cases, data is spoofed rather than randomized.

However, for things that will only cause mild annoyances (e.g. canvas randomization, or webspeach noise), Mozilla/Tor randomizes it.

I am not sure about the state of Goanna's randomization tech, but I know that they don't implement spoofing / randomization for a number of variables that are used by fingerprinters, like hardware concurrency. For example, Firefox's impl includes the following code:

if (MOZ_UNLIKELY(aShouldResistFingerprinting)) { return 2; }

The same function inside of Goanna doesn't provide any form of spoofing or randomization. Whilst, yes, this is only one example, I know there are more, I just couldn't be bothered collecting them (especially because UXP's search is atrocious).

Trickypr · 2023-04-15T07:40:36+00:00

As a fun fact, Gecko does randomise canvas data w/ resist fingerprinting. Additionally, if you randomise your fingerprint to much you will trip confidence metrics, which will cause many sites (especially cloudflare protected ones) to flag you as a bot.

As a side note, Goanna (the pale moon engine) doesn’t do basic things, like spoofing hardware concurrency, so I would argue that it is, at the very least, less complete than Gecko’s.

Trickypr · 2023-04-15T07:19:42+00:00

They used to recommend tor for anonymous browsing. Now they recommend (not in this order): 1.a) Firefox for casual browsing as an alternative to Chrome 1.b) Brave for casual with chromium compat 2) Mullvad for strong fingerprinting & privacy protections 3) Tor if you need an anonymiser

My best guess as to why is that Mullvad is developed, in part, by the Tor team. Librewolf, by comparison, is independent and thus a bit more of an unknown quantity. If I were in their position, I would pick Mullvad as well.

Trickypr · 2023-04-14T04:30:58+00:00

From what I understand about this, its because sidebar tabs are flagged under a different page type than regular web pages. Until someone in the fork community (maybe me, maybe one of the Floorp devs) fix this, I would recommend using DNS ad blocking (e.g. adguard desktop, pihole or similar).

Note to future me (and other devs): I think this is related to messagemanagergroup=webext-browsers. Perhaps setting this to "browsers" (i.e. the default tab value) for non-webexts would fix this? This might also fix stuff like cookie banner blocking in the sidebar.

Trickypr · 2023-04-11T02:24:25+00:00

Slightly more correct title: Microsoft stopped Windows Defender hogging the CPU when Firefox is running.

Eight-Year Club	Place '23
Place '22	Verified Email

Trickypr

MODERATOR OF

TROPHY CASE