Just days after Kansas Gov. Jeff Colyer announced iKan, the state’s first mobile app for digital services, a broad security flaw has been discovered.
The app allows Kansans to renew their vehicle licenses and access official documents from their phone. To enable their vehicle registration transaction, a user must enter their PIN or license plate associated with the renewal — or, as one reddit user found out yesterday in a since-deleted post — any PIN or license plate.
By entering random PIN or license plate numbers, users can access the name of an insurance company, policy numbers, and the cost of registration of a specific vehicle.
None of the information is personally identifiable, and it is available at the county level by open records request, a spokesperson from the Kansas Department of Revenue told StateScoop.
Nonetheless, it is a crime in the state of Kansas to use somebody else’s PIN to access the information, even if the user is just entering random numbers.
The state is evaluating different measures to take, the spokesperson said, adding that “there’s absolutely a review underway to look at the situation.”
John Thomson, CEO of PayIT, the Kansas-based technology firm that developed the app, said in a press conference on March 30 that vehicle registration transactions made through the iKan app would be encrypted and cost $2 per transaction.
As of April 12, the iKan app has approximately 500 downloads on Android and a 1.0 rating (out of a possible 5.0).
PayIT has previously developed mobile applications with other states and cities across the country, and has also provided the K-TAG app for Kansas since 2014 that allows drivers on the Kansas Turnpike to automatically pay tolls without stopping.