First it was the City of Johannesburg that was found to be leaking sensitive customer details online; now it’s the Municipality of Ekurhuleni that’s got a security hole in its online billing service. If you’re logged into its system, you can see the bills and payment histories of other residents and companies in a nice RICA-ble format.
As with the Joburg exploit, it was an eagle eyed sleuth over at the MyBroadband forums – JoseP – who spotted the vulnerability. Once logged onto the Ekurhuleni user account system, you can access other people’s invoices by entering a direct URL link to the files. Customer invoices containing address details and statements of arrears for citizens and businesses who’ve registered with the online system are accessible to anyone with an existing account and login.
It’s not quite as bad as the Joburg problem – unless you have credentials for the Ekurhuleni system you can’t access strangers’ files – whereas Joburg’s files were so open that Google was spidering them. Registering as a new user, however, takes a couple of minutes and can be done with fake credentials.
When contacted, a representative from Ekurhuleni told us that this particular exploit is impossible and hung up the phone. Sadly, we’ve verified it in the office using credentials given to us by a bona fide account holder.
The system in question is supplied by Interfile. We spoke to company founder and CEO Sheldon Quamby, who admitted the problem exists. According to Quamby, the system was put through rigorous penetration testing by both a local and international security provider before it was set live – neither of whom uncovered the issue. Quamby said that the system uses two independently random numbers to generate URLs, which should make the exploit hard to find.
A security export we spoke to, however, was unconvinced. For a determined and experienced hacker figuring out random sequences isn’t too big a job – although it would take time and produce an attack pattern that should be easy to spot.
“It’s not an easily accessible scenario that other accounts should be discovered,” he told htxt.africa, “So the danger to account holders is slim… The chances of discovering a useable URL by chance are around one in a trillion.”
Joburg, meanwhile, has released a statement on its issue:
”We are aware of the security breach on our E statement services. Our technical team has brought the services down to prevent further unauthorized access to consumer accounts. We are currently investigating the root cause and permanent solution will be applied. We do apologise for any inconvenience caused. Customers requiring copies of their Account Statement can contact the City of Johannesburg Call Centre on 0860 Joburg or 0860 56 28 74 or send a request via email at: firstname.lastname@example.org.”
And is refusing to comment further.
//Update – Interfile have contacted us to tell us that a fix will be being deployed onto the Ekurhuleni servers at 5pm.
More updates to come as we investigate the legal ramifications of both of these problems.