People

“You Can See All the Code”: 2 Brothers Discover NSFAS Website’s Major Security Flaw

Published 18 Dec 2025

by Jade Rhode

2 min read

Brothers Connor and Jordan Bettridge uncovered a serious security flaw on NSFAS's web portal
Connor initially noticed the security threat, which could have affected several students, and contacted his brother for assistance
The brothers also found that the flaw affected system administrators, whose accounts could easily have been taken over

Two brother found a security flaw on NSFAS's website. — Two South African brothers found a security flaw on NSFAS's website. Images: AlphaTradeZone / Pexels, @careersportal1 / X
Source: UGC

Connor Bettridge, a third-year student at Varsity College in Cape Town, and his older brother Jordan uncovered a serious security weakness in the National Student Financial Aid Scheme's (NSFAS) online system. The flaw could have allowed an unauthorised person to gain powerful access to sensitive parts of the platform.

MyBroadband reports that the flaw put the personal information of every student who started a NSFAS application since 2022 at risk. The weakness also exposed details linked to NSFAS system administrators, allowing someone to take over an administrator account. That level of access meant a cyber attacker could approve or reject funding applications and view confidential financial information.

Read also

"He deserves a hug": Eastern Cape Good Samaritan pays all PEP laybys totalling R132K, SA moved

Connor, whose major wasn't disclosed, first became suspicious when he noticed something unusual on the website: a panel that appeared to show messages sent by the system to users. These included one-time PINs sent to people who had forgotten their passwords. As he dug deeper, Connor found that the website's system wasn't properly protected. He then asked Jordan to help assess the seriousness of the issue and assist in alerting NSFAS, reports MyBroadband. Together, they discovered the possibility of downloading personal information, which included Consumer Profile Bureau codes, among other details.

A happy woman using her laptop. — Students eager to get funding were none the wiser as they filled in personal information. Image: Mikhail Nilov / Pexels
Source: UGC

PAY ATTENTION: Briefly News is now on YouTube! Check out our interviews on Briefly TV Life now!

Jordan told the publication mentioned above:

"If you look at the code for the website, and if you deobfuscate the JavaScript, you can see all the code that would be used on the admin panel, even if you aren't an admin user."

According to MyBroadband, NSFAS addressed the security flaw and implemented remedial action.

3 Other stories about NSFAS

In another article, Briefly News reported that Parliamentarians questioned NSFAS after it was found to have paid over R200 million to four service providers.
A young woman sparked intense debate after claiming that she had constructed a new house for her family entirely by saving her NSFAS allowance.
A broke NSFAS student became the talk of the town when she showcased her R383 grocery haul.

PAY ATTENTION: Follow Briefly News on Twitter and never miss the hottest topics! Find us at @brieflyza!

Source: Briefly News

Authors:

Jade Rhode (Human Interest Editor) Jade Rhode is a Human Interest Reporter who joined the Briefly News team in April 2024. She obtained her Bachelor of Arts degree from Rhodes University, majoring in Journalism and Media Studies (distinction) and Linguistics. Before pursuing her tertiary education, Jade worked as a freelance writer at Vannie Kaap News. After her studies, she worked as an editorial intern for BONA Magazine, contributing to both print and online. To get in touch with Jade, email jade.rhode@briefly.co.za

Tags:

Cape Town Education NSFAS - National Student Financial Aid Scheme

Hot:

Kim howard Ilan tobiana Truworths card Lunathi mampofu Chase morrill