A huge security flaw in the City of Johannesburg’s online services system appears to have led to its being closed down after it was revealed that personal invoices containing names, addresses, PINs and bank details were being hosted on the open web, rather than a secure area accessible by user accounts.
The flaw was uncovered by a MyBroadband forumite after authorities failed to act on his alerts. We haven’t been able to verify it as the system now has a notice saying it’s closed ‘due to technical difficulties’ and the City has yet to make a statement.
According to MyBroadband, the flaw means that anyone who could work out the direct URL could download your bills. Worse, they were being indexed by Google.
Should you be worried? Sadly, yes. The information that can be gleaned from the bills opens the door to identity theft. As the reader in question points out:
I can use these invoices to get myself RICAed or for any other purpose where one needs a utility bill.
It is relatively simple to write a small script to increment the counter, extract information from the PDF, and then store it for later data-mining.
Once you have access to a customer’s statement, you will have their account number and PIN and will then be able to access their account electronically as well as do any sort of social engineering.
I would guess for customers in credit I could attempt to change their banking details and then request a refund.
We’ll keep badgering for updates as soon as possible.