Massive security flaw exposes Joburg residents’ private info

City of Joburg online system exposes customer statements – including account numbers and PIN codes – to anyone with an Internet connection

By - August 20, 2013 Share on LinkedIn
City of Joburg

The City of Joburg’s (CoJ) online services system has come under fire from consumers because of a security flaw which allows municipal invoices to be viewed by anyone with an Internet connection.

The publicly available invoices contain private information including names, addresses, account numbers, PIN codes, and financial details.

A concerned Johannesburg resident alerted MyBroadband to the security flaw, showing that invoices are not password protected and can be viewed using a public URL.

According to this resident, who asked to remain anonymous, he unsuccessfully tried to alert the CoJ about the security problem.

“I honestly tried to report it to the COJ, but their call centre could not assist. I then sent them an e-mail but I don’t anticipate that something will happen quickly there,” he said.

He explained why people should be concerned about the publicly available information:

  • I can use these invoices to get myself RICAed or for any other purpose where one needs a utility bill;
  • It is relatively simple to write a small script to increment the counter, extract information from the PDF, and then store it for later data-mining;
  • Once you have access to a customer’s statement, you will have their account number and PIN and will then be able to access their account electronically as well as do any sort of social engineering;
  • I would guess for customers in credit I could attempt to change their banking details and then request a refund.

Consumers are not happy about the situation. “This is sickening. I’ve just viewed a selection of total strangers’ municipal accounts,” said one Internet user.

“You can do lots of scamming with the info, targeted phishing attacks, produce fake ID books and proof of residence to match,” another user warned.

Google has also started to index the PDF statements, which means the indexed statements are searchable by name.

According to an Ekurhuleni resident the same vulnerability exists in the Ekurhuleni Municipality’s online system, but it requires a user to log in before being able to access the invoices.

MyBroadband contacted the City of Joburg for comment on the issue, but no one could be reached who could assist.

More on security

CoJ statement security problem discussion

SIM card hack: are you affected?

Half a billion mobiles phones vulnerable to hackers warns UN

US rejects bid to curb NSA data-gathering program

Apple software developers website hacked

Share your thoughts

Join the conversation

Connect with Us

androidappletwitterfacebookgoogleplusfeednewsletter

Poll

Do you think the ANC is limiting the growth of broadband connectivity in South Africa?

View Results

Loading ... Loading ...

More News

Watch: SABC song of appreciation for 90% South African music

SABC song

The SABC song of appreciation includes local artists giving thanks to the 90% local music quota on the broadcaster’s radio stations.

No way to avoid buying Jacob Zuma a new jet

Jacob Zuma in Germany speaking

Getting a new presidential jet seems to be unavoidable, Defence Minister Nosiviwe Mapisa-Nqakula said in Parliament on Wednesday.

Massive Vodacom fibre-to-the-home data price cuts

Vodacom logo outside

Vodacom has overhauled its fibre-to-the-home packages, offering customers cheaper data prices across its range of line speeds.

You are sharing too much information on Facebook, and fraudsters love it

Facebook Notifications

Sabric has said that fraudsters are resorting to more subtle ways of stealing the personal information of South Africans, which can lead to their bank accounts being compromised.

X

Newsletter Subscription


Name
Email *
Enter the following to confirm your subscription *
Captcha image


Free MyBroadband Newsletter
Subscribe
×