Cell C website security flaw uncovered

I don't feel that corporates are doing enough to protect our data. On the top of my head I can think of COJ, Afrihost, Vodacom and now Cell C. All this within six months.
 
I remember last year the Cell C customer portal was down for close to a month, apparently some upgrade was done and it needed to be signed off? And now this happens :(

Well I am glad Cell C listened and took care of the problem. Kudo's to cavedog who found and reported the issue.
 
koeksGHT said:
Another one?!

Someone has a serious pentesting company :D
Click to expand...

koeks525 said:
I remember last year the Cell C customer portal was down for close to a month, apparently some upgrade was done and it needed to be signed off? And now this happens :(

Well I am glad Cell C listened and took care of the problem. Kudo's to cavedog who found and reported the issue.
Click to expand...

Again you too are trying to confuse me :p
 
Wall said:
I don't feel that corporates are doing enough to protect our data. On the top of my head I can think of COJ, Afrihost, Vodacom and now Cell C. All this within six months.
Click to expand...

I agree that these vulnerabilities should have been found and fixed before the various system changes went live (into production), especially where large corporates are concerned since they have the money to make sure that penetration testing is performed and that their systems meet and exceed standards and security requirements.

However, in reality there is no such thing as a bug free system, and even the simplest of systems with no apparent bugs are layered on top of or integrate with other systems (like operating systems), so there will always be a vulnerability that some miscreant could exploit in a way that Software and Systems Engineers never foresaw.

The real problem is criminally negligent entities for example the CoJ, that refuse to take responsibility for the data that they are entrusted with, and that refuse to fix their systems or even listen when a serious vulnerability is reported by one of their own customers.

The difference between the CoJ and the rest of the companies you mentioned, is that the CoJ is criminally negligent and the others listened and fixed the problems without threatening their customers with a big stick for finding and reporting serious problems.

I hope that when the POPI act's implementation deadline has expired, the CoJ will be the first entity that has its top management dragged into court and exposed as the bunch of corrupt officials that they clearly are for tenderpreneuring away the private information of rate payers.
 
It was a truely shockig flaw and I reslly hope no customers details was compromised. Thanks to mybb cause they have contacts that gets things done.

I guess those that were slamming vodacom for their mistake and used CellC and MTN as a operator with a flawless system.... ;)
 
rpm said:
Big Cell C security flaw uncovered

Cell C’s online portal made it possible for anyone to view Cell C subscribers’ personal information; security flaw fixed quickly
Click to expand...

Meanwhile in a meeting at Vodacom:

x: We had twice the leak now!
y: What can we do?
x: We must find a leak in our competition.
y: Sounds good.
 
In IT system issues will always occur and irrespective of how much you test there will always be a slim chance of human error. There simply is no flawless and error free system and it boils down to how the company deals with the issue afterwards. From personal experience I must say that CoJ is probably the most disgraceful example there can be when it comes to issues like this - instead of taking responsibility pursuing a witch-hunt and opening a criminal case will very soon backfire.

Kudo's to CellC for fixing it so quickly.

On a side note: If it were not for users like cavedog, pointing those issues out, companies and their customers would be exposed to much worse than "just" reputational damage. For all you know, hackers could have mined that information for almost a year.

TBH - POPI does not excite me at all, as it waives any responsibility and accountability of any government organisation. So what is the point if a CellC, Vodacom or Afrihost gets fined R10m for such a violation. Guess what? The money will disappear somewhere within the government. If POPI or ECT was used to improve internet services, the quality of online businesses and internet connectivity as a whole, I would have no problem being exposed to fines.
 
Kudus to Cavedog, I mean Eugene Eksteen

I found it a bit ironic that this has now exposed his real identity. ;-)
 
MagicDude4Eva said:
In IT system issues will always occur and irrespective of how much you test there will always be a slim chance of human error. There simply is no flawless and error free system and it boils down to how the company deals with the issue afterwards. From personal experience I must say that CoJ is probably the most disgraceful example there can be when it comes to issues like this - instead of taking responsibility pursuing a witch-hunt and opening a criminal case will very soon backfire.

Kudo's to CellC for fixing it so quickly.

On a side note: If it were not for users like cavedog, pointing those issues out, companies and their customers would be exposed to much worse than "just" reputational damage. For all you know, hackers could have mined that information for almost a year.

TBH - POPI does not excite me at all, as it waives any responsibility and accountability of any government organisation. So what is the point if a CellC, Vodacom or Afrihost gets fined R10m for such a violation. Guess what? The money will disappear somewhere within the government. If POPI or ECT was used to improve internet services, the quality of online businesses and internet connectivity as a whole, I would have no problem being exposed to fines.
Click to expand...

This.

Not excusing it, just facing reality - response to exposure is key.

Kudos to to cavedog for exposing and well done to CellC for fixing so promptly.
 
According to Eksteen the vulnerability existed since March 2013, following a system upgrade by Cell C.
Click to expand...

Okay, I wonder what happened between March 2013 and December 2013....

Someone earlier told me about a Cellc client database doing the rounds which are available for sale. This, most probably due to the vulnerability. It seems other people were aware of this as well....
 
Pho3nix said:
Again you too are trying to confuse me :p
Click to expand...

Hahahaha :D My apologies :D I didn't get why people say the 525 and GHT part was similar, but yesterday when I was just skimming through a thread, I saw why....the 525 really looked like GHT :D

I love it! This confusion is so funny!! :D
 
Dion Disco said:
Kudus to Cavedog, I mean Eugene Eksteen. I found it a bit ironic that this has now exposed his real identity. ;-)
Click to expand...
It is up to the person if they would like to stay anonymous, or be mentioned in the article. We always clear it with them first. It is cool to give credit where credit is due, but some people may understandably like to stay anonymous.
 
rpm said:
It is up to the person if they would like to stay anonymous, or be mentioned in the article. We always clear it with them first. It is cool to give credit where credit is due, but some people may understandably like to stay anonymous.
Click to expand...

It is all for the glory and obviously making it easier for anyone wanting to open a police docket to do so without having to go through all those subpoenas :whistling: I think it is good to highlight those security flaws as any responsible company will deal with those issues properly. TBH in most cases it is relatively easy to figure out who is who (I for one know who House is)
 
MagicDude4Eva said:
TBH - POPI does not excite me at all, as it waives any responsibility and accountability of any government organisation. So what is the point if a CellC, Vodacom or Afrihost gets fined R10m for such a violation. Guess what? The money will disappear somewhere within the government. If POPI or ECT was used to improve internet services, the quality of online businesses and internet connectivity as a whole, I would have no problem being exposed to fines.
Click to expand...

I suspect the constitutionality of indemnifying government organisations will be challenged.

Are you absolutely sure that the CoJ (being a municipality) qualifies for POPI indemnity?
 
j4ck455 said:
I suspect the constitutionality of indemnifying government organisations will be challenged.

Are you absolutely sure that the CoJ (being a municipality) qualifies for POPI indemnity?
Click to expand...

I have not yet gone through the gazetted signed off version from November 2013, but the previous draft versions had a very strong exemption of government institutions in there. I suppose government entities will use the secrecy bill or the ECT-act to mask/hide from responsibility/accountability and I am doubtful that POPI will ever be used against a government body.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter