Strengthening Malawi’s Digital Evolution: A Look at Cybersecurity in Local Web Platforms

Malawi’s digital transformation is accelerating. In just a few years, we’ve seen impressive growth in web applications from e-commerce platforms and digital ticketing systems to public service portals and payment gateways.

We are shifting from paper-based processes to digital-first experiences. You can now buy an event ticket online, pay via mobile money, and access services without stepping into an office. AI tools like GitHub Copilot, Lovable, and Bolt have also enabled faster development cycles making it possible to launch functional apps in weeks instead of months.

This evolution is worth celebrating. But with this progress comes a growing responsibility to build securely.

In this post, I want to reflect on a few insights from exploring public-facing systems and suggest ways we can collectively strengthen cybersecurity practices as we continue building.

The Rise of AI-Accelerated Web Development

With AI-assisted development, many platforms are being launched faster than ever. This has opened doors for entrepreneurs, students, and teams to quickly build MVPs and serve users across Malawi.

However, rapid development can sometimes skip over certain best practices especially in handling sensitive data or securing backend configurations.

One example I observed was a web platform where supabase secret keys and URLs were inadvertently visible in the frontend code. While this is not uncommon in early-stage builds, it highlights the need for developer support, training, and better tooling to ensure secrets are stored securely. With a simple python script and just guessing the table names of the database, I was able to retrieve the whole database of users.

With AI in the mix, experience and oversight become even more important to guide what AI generates and ensure the resulting code is secure.

Identity Systems and the Importance of Secure Data Access

I explored a public service portal that required a National ID to register. During testing, I noticed that entering an ID number triggered a network request that returned personal details including fingerprint data without additional verification.

This discovery underscores how critical identity data needs to be carefully protected. Even when the goal is user convenience, extra layers of validation such as verifying ownership of the ID number help protect against unintended misuse.

One option could be to implement protocols like OpenID Connect or integrate secure verification services that confirm user identity before exposing sensitive data.

A Note on API Keys and Frontend Exposure

Payment gateways and other third-party services usually provide API keys for integration. These keys are like access passes they authenticate requests made to the service.

In a few cases, I found these keys embedded directly in frontend JavaScript files. While this may happen during early testing phases, keeping them public can open the door to unintended access or billing issues.

Recommendations:

• Use .env files and secure environment variables for all credentials.

• Educate dev teams (especially junior developers and student teams) on proper API security practices.

• Issue warnings if keys are misused.

Dev Mode and Debug Tools in Public Systems

While exploring the internet on Shodan, I’ve come across systems still running in development mode or with debugging features exposed.

While these configurations may seem harmless, they sometimes reveal useful metadata like tech stack versions which could be used by attackers to search for known vulnerabilities.

Even minor oversights can become entry points if not addressed before deployment.

In one case, I came across a web application hosted by a prestigious organization still running with default credentials. This could allow anyone with basic access knowledge to log in as an administrator. It’s unclear if this was an oversight or intentional, possibly even a honeypot.

The Bigger Picture: We’re Building for the Future

Malawi’s digital space is growing, and that’s exciting. More local apps are being built, more public services are going online, and more innovators are entering the space.

As we build, let’s prioritize:

• Security education for developers at all levels

• Regular audits and code reviews, even for small apps

• Collaborative efforts between tech companies, educators, and government to promote secure design practices

• User safety, especially when dealing with identity or payment data

Final Thoughts: Let’s Evolve Securely, Together

The progress Malawi is making in tech is something to be proud of. The goal of this reflection isn’t to point fingers, but to encourage a shared mindset: that security is part of development, not an afterthought.

With the right support, collaboration, and attention to detail, we can build platforms that are not only fast and user-friendly but also safe, trustworthy, and resilient.

Written by Innocent Waluza
Cloud & Network Security Engineer | numnet