A Person Discovers Critical Security Vulnerability in eCitizen Payment Gateway
Introduction
On February 1, 2025, Shadrack Matata (@shadrac_matata) took to X to highlight a critical security issue with the eCitizen payment gateway, which he discovered on May 21, 2024. Despite his efforts to report a vulnerability that could allow transaction fraud, he received no response, leaving the issue unaddressed.
The Bug Report
He narrated on his post that he found a critical bug in the Kenyan government’s eCitizen digital services platform, whereby one can fake/forge a transaction with a high risk of financial fraud and identity stealing. He tried responsibly reporting it through the domain admin to which API endpoints are attached but was silenced.
Continued Ignorance
In a follow-up posting, Matata said the bug was still there, meaning the authorities have not taken any action against the severity of this bug. The more this neglect continues, the higher the risk for users in terms of cyber-attacks.
Technical Insights
Cybersecurity analyst Humphrey (@HumphreyMburu) suggested in the thread that eCitizen may be using an outdated Laravel starter template, which could be the root cause of the vulnerability. Outdated software components are known risks, often leading to security breaches in critical systems.
Security Implications
The failure to address a reported vulnerability is alarming, especially in light of the recent major cyber-attack on eCitizen, as reported by The Standard. Outdated software remains a common entry point for cybercriminals, aligning with concerns raised by the OWASP Foundation about security risks in legacy applications.
Public Reaction
The discussion on X has sparked mixed reactions:
- Timothy Mugo Gachengo raised concerns over privacy risks, fearing exposure of sensitive ID and passport data.
- Mark Watitwa humorously suggested that the bug might be a feature, reflecting a cynical view of Kenya’s digital security measures.
- Bright Mawudor’s statement added weight to the issue, reinforcing the need for immediate intervention.
Conclusion
The unaddressed critical bug in eCitizen, reported by Shadrack Matata and emphasized by Bright Mawudor, PhD, is a wake-up call for government agencies. The failure to respond not only jeopardizes the integrity of public services but also erodes citizen trust.
Kenya’s digital infrastructure must prioritize:
✅ Timely security updates
✅ Engagement with ethical security researchers
✅ Proactive cybersecurity measures
Call to Action
🔹 Government cybersecurity teams must urgently investigate and fix the reported eCitizen vulnerability.
🔹 Users should stay vigilant and report any suspicious transactions or security flaws.
🔹 Cybersecurity experts and developers should continue pushing for stronger security protocols in public sector digital platforms.
A secure eCitizen system is not optional—it’s a necessity.
Feel free to react and comment below with your thoughts on this critical security issue. Let’s continue the conversation on how we can make digital government services safer and more reliable for everyone.
