 |
In a chilling revelation that underscores the precarious state of digital security in conflict zones, Somalia’s E-Visa verification system is harboring a catastrophic vulnerability. This flaw exposes the personal data of every foreign national who has applied for a visa, placing them in grave danger from the Al-Shabaab militant group. The vulnerability, found by a security team led by Abdi Daud, Lead Architect and expert in building enterprise systems, resides in the E-Visa’s verification endpoint, which requires no authentication, authorization, or rate limiting. This negligence leaves the system wide open to anyone with an internet connection, transforming a tool of state into a potential directory for terrorists. This isn’t just a data breach; it’s a matter of life and death.
Somaliland Chronicle has independently verified the vulnerability, confirming the urgency and severity of the situation. Mr. Daud explained that this is not a sophisticated hack but a fundamental, negligent architectural failure. “The vulnerability is so basic that it’s almost laughable,” Daud, who spoke on the record, told Somaliland Chronicle. “This isn’t hacking; it’s counting. Somalia’s E-Visa system is like numbering everyone’s visa number and putting them on a website URL. With a little trial and error, anyone can simply change the number in the web address and see the next person’s complete passport details and photograph. I found multiple records in 30 minutes with a script that took 10 minutes to write. In my entire career, I’ve never seen a simpler vulnerability with more catastrophic consequences.”
The consequence of this exposure is a potential death sentence. Al-Shabaab, known for its sophisticated intelligence capabilities and relentless attacks on foreigners, can now exploit this database to target embassy staff, NGO workers, and United Nations personnel. Handing the militant group a digital ‘kill list’ of every foreigner visiting Somalia—complete with photos and passport details—is an open invitation to targeted assassinations and kidnappings. The complete absence of basic security protocols is baffling. Modern API security, standard practice in most countries, was completely overlooked. This system was apparently designed with zero consideration for security, even though it handles the most sensitive data possible: international travel into a high-risk conflict zone.
The threat matrix is vast, extending beyond terrorism to identity theft and espionage, while placing vulnerable groups like children and political dissidents at even greater risk. This level of negligence appears to violate multiple international laws, including the International Covenant on Civil and Political Rights and the African Charter on Human and Peoples’ Rights. For EU citizens, this is a clear violation of the General Data Protection Regulation (GDPR), which has extraterritorial provisions that could trigger significant fines. This failure also flies in the face of U.S. national security policy, such as Executive Order 14117, which seeks to prevent this exact type of data exposure. The incident raises serious questions about contractor liability and the obligations of the hosting providers and payment processors profiting from this compromised system.
Ultimately, this digital collapse mirrors Somalia’s chronic physical governance failures. A recent White House proclamation banning certain Somali officials from the U.S. cited the country’s “lack of command and control of its territory.” That language is prescient. The E-Visa system is the digital echo of this exact failure, extending Somalia’s failed state status into the digital realm. It suggests a profound disregard for the safety and privacy of travelers, shattering the trust necessary for any international cooperation or travel in the region.
Immediate action is required. Daud issued a direct warning: “To governments whose citizens’ data is exposed: demand Somalia shut this system down immediately, not after review, now. To hosting and payment providers: you’re facilitating passport exposure in a terrorism hotspot while profiting from it. No contract or profit justifies enabling what comes next.” Travelers are advised to avoid this E-Visa system entirely and find alternative visa arrangements. International organizations must issue urgent security advisories, and airlines should suspend any requirement for the E-Visa. This is a failure of digital governance with lethal consequences, and its simplicity makes it all the more damning. The world must protect its citizens from Somalia’s digital chaos.