arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
The Lisensya.info website and Why You Should Never Use it
4 min read

The Lisensya.info website and Why You Should Never Use it

The Lisensya.info website and Why You Should Never Use it

Official Facebook of the Land Transportation Office recently posted on Facebook that a certain website called "lisensya.info" is neither related nor connected to the agency.

Facebook Post: https://www.facebook.com/lto.cdmpao/posts/4945108275506974

I've visited the website out of curiosity and it's currently running. I tried it out and it works well. The website has two main features, Driver's License Authenticator and Motor Vehicle Authenticator.

Driver's License Authenticator

Link: https://lisensya.info/

Finding a Driver's License

I looked up on Google for a publicly-posted and uncensored Driver's License and I luckily found one from Philstar.

Article: https://www.philstar.com/the-freeman/cebu-news/2020/08/30/2038847/10-year-drivers-license-validity-start-next-year

Checking the Driver's License Authenticator

Using the details I've found from Google, I've tried the authenticator and it worked perfectly. You will get the full name and expiration of the owner via the website.

Below is the complete details of the request and response.

Motor Vehicle Authenticator

Link: https://lisensya.info/motorvehicle.php

Finding an MV File Number

Again, I looked up on Google for a publicly-posted and uncensored MV File Number and found one from MoneyMax's article.

Article: https://www.moneymax.ph/government-services/articles/lto-license-plate-updates

Checking the Motor Vehicle Authenticator

Again, using the details I've found from Google, I've tried the Motor Vehicle Authenticator and it worked perfectly like the other authenticator. For this one, I was able to query and fetch the information of the owner of the Car.

Below is the complete details of the request and response.

Notes for owners

  • Do not allow media to share your important information online without asking you if you want them to blur some Personally Identifiable Information (PII)
  • Do not PUT your MV File Number in your Plate Number (I'm not sure if it's a requirement but I will never do this)

The main question now is how this lisensya.info website was able to retrieve those information? And I'm going to discuss it below.

The Vulnerability

Fortunately, there is a security vulnerability that allows you to download the PUBLICLY-exposed git repository of the website.

Vulnerable Link: https://lisensya.info/.git/

Learn more about it here: https://blog.secuna.io/insecure-source-code-management/

After the cloning process, I extracted the repository and was able to retrieve all the source code and the name of the developer of the website.

Behind the process

Checking the source code of license.php and validatemv.php, I found out that the website is just using the API endpoint from LTO.net.ph (one of the official website of LTO) to retrieve some information.

license.php source code
validatemv.php source code

Malicious Collection of Data

HOWEVER, if you read the code block after the if (httpcode == 200) { you will see that the developer is saving every successful result (in XML format) on its server!!!

What does that mean? Well, if you've used lisensiya.info before to check for your license or MV file number then your DATA is being saved to the developer's server!!!

Saved Driver's Licenses

As of 6:07 am, there are 9,733 saved driver's license information on the developer's server!

Saved MV File Numbers

As of 6:07 am, There are 18,703 saved MV File Number information on the developer's server!

Contents of saved licenses and MVs.

Driver's License Information
MV File Number and Owner Information

Final Words

For LTO:

  • If you are the developer of the API, make sure there's a proper rate limitation and security measures in your API endpoints.
  • Also, do proper masking of data and review if all data are necessary in the response.

For Users (Drivers or Car Owners):

  • Do not use lisensya.info website!!!

I hope you learned something from this blog and I hope you share this blog to spread awareness to other drivers and car owners.


Credits to UNTV for the thumbnail of this blog.