Action has been taken to resolve some of the issues raised by users related to registrations and updating information on the Central Database Hub (Padu) website, says Rafizi Ramli.
Taking to X (formerly known as Twitter), the Economy Minister also addressed some frequently asked questions on the system.
As of 10 am on Wednesday, 233,782 users had registered, with 71% completing electronic Know-Your-Customer (e-KYC) verification.
He also said that the issue of identification card (IC) numbers being used to override and change passwords was addressed last night.
“The weaknesses in the handling of the authentication were not found during the Security Posture Assessment (SPA),” he said.
“The team had taken immediate action, and it was resolved within an hour by 9.15pm on Jan 2,” he added.
Rafizi also said that any information updated in the Padu system without a valid e-KYC would not be integrated into the database.
“For a smoother process, user information can be updated upon logging in before going through the e-KYC process.
“The e-KYC will only be implemented after the information is updated and a profile is sent for confirmation and acknowledgement,” he said.
Rafizi also explained that a single phone number could be used to register up to five accounts of individuals living in the same household.
This, he said, was to facilitate the registrations of those who did not own mobile phones.
“Padu is designed to centralise the data of all citizens and permanent residents in Malaysia. For this reason, all individuals 18 and up must have their own accounts.
“To ensure coordination of household information, however, only the head of the household will be able to update this,” Rafizi added.
His post came after several users complained about the difficulties they faced when registering and updating their data on to the newly launched system.
It was earlier reported that several flaws were discovered inside Padu within just hours of its public rollout.
While the most talked about flaw was the MyKad-related issue which was raised by the former Deputy Minister of International Trade and Industry, Ong Kian Ming, there was another issue with the centralized database that is even more critical. According to developer and X user @drmsr_dev, the user password for the Padu account can be changed easily just by using one’s IC number.
In a set of screenshots that were shared through the popular social media platform, drmsr_dev demonstrated that this flaw could be taken advantage of easily through API calls by someone savvy enough.
An API is a software intermediary that allows two applications to talk to each other.
A few hours after this issue was exposed to the public, drmsr_dev noted in a follow-up tweet that the team behind Padu had changed the API to fix the flaw. In addition, the Ministry of Economy has since acknowledged the flaw through a tweet earlier today.
Aside from saying that the agency is constantly monitoring feedback from the public, the tweet also noted that improvements are currently being implemented as we speak. Furthermore, the ministry deemed the discovery of the flaw and subsequent feedback as a “positive criticism”.
Rafizi refuted claims that the Padu e-KYC process takes three days, stating it currently takes under five minutes for confirmation and approval.
Earlier report:
Jan 2, Registration for Padu