City of Joburg - security issue - everyone can see all customers statements

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Since COJ call-centre is unwilling to take in this report, perhaps RPM/MyBB can assist

- Log into eServices (http://eservices.joburg.org.za/)
- Click on "Account by Email" on the left
- On the next screen, put in your account number and PIN (is on any of your COJ statements)
- Click Continue
- Click on "Get Statements"
- Click on "Click to View" statement - this will open your statement
- The URL will be something like this: http://cojestatements.co.za:8080/cojpdfweb/getPDF?documentID=########&download=false
- Increment the number and you will be able to display other customers statements

BTW: Just tested and you can view any customers statement without logging in - http://cojestatements.co.za:8080/cojpdfweb/getPDF?documentID=11800132####&download=false

Change the #### to any four digit number or change the whole number and you will just be able to data mine invoices

The above information can be used for any criminal activities such as:
(1) Use the statement for RICA/FICA or wherever you require a municipality statement
(2) Use the customers account-number and PIN to access his details on COJ (or register if not registered)
(3) Use it for social engineering or other criminal activities (you will find out the value of the house, electricity consumption, money spent etc)
(4) Perhaps go as far as have the cheek and phone CoJ to request a refund and cancel the account if the customer is in credit
 
Last edited:

Ancalagon

Honorary Master
Joined
Feb 23, 2010
Messages
15,532
Doesnt seem to work for me - I get a blank statement. But then I didnt authenticate by logging in first.

My guess - once you have authenticated by logging in, you are authorized to view any statement.
 

Bizkit87

Executive Member
Joined
Apr 3, 2009
Messages
5,251
Doesnt seem to work for me - I get a blank statement. But then I didnt authenticate by logging in first.

My guess - once you have authenticated by logging in, you are authorized to view any statement.
I didn't even have to log in, just clicking that link and changing the numbers show me all the invoices i can guess.
 

Cool E

Expert Member
Joined
Feb 23, 2012
Messages
4,023
Doesnt seem to work for me - I get a blank statement. But then I didnt authenticate by logging in first.

My guess - once you have authenticated by logging in, you are authorized to view any statement.

Change the #### to any four digit number on the url.

It works.

Damm not safe at all
 

The_Unbeliever

Honorary Master
Joined
Apr 19, 2005
Messages
103,202
Try to find the mayor's own account, and post it online.

Guaranteed to have this issue resolved quickly.
 

Trixanno

Senior Member
Joined
Mar 27, 2006
Messages
780
I guess finding a proof of residence for RICA/FICA wont be difficult anymore.
/end sarcasm
 

Budza

Executive Member
Joined
Oct 14, 2008
Messages
7,597
Let's see an article.

Guesses on time it'll take them to fix this?
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Honestly tried to report it to COJ, but call-centre could not assist and sending them an email will also not result in anything. Perhaps anyone on here has an IT contact to address this pls...
 

blunomore

Honorary Master
Joined
Jul 8, 2007
Messages
26,789
Since COJ call-centre is unwilling to take in this report, perhaps RPM/MyBB can assist

- Log into eServices (http://eservices.joburg.org.za/)
- Click on "Account by Email" on the left
- On the next screen, put in your account number and PIN (is on any of your COJ statements)
- Click Continue
- Click on "Get Statements"
- Click on "Click to View" statement - this will open your statement
- The URL will be something like this: http://cojestatements.co.za:8080/cojpdfweb/getPDF?documentID=########&download=false
- Increment the number and you will be able to display other customers statements

BTW: Just tested and you can view any customers statement without logging in - http://cojestatements.co.za:8080/cojpdfweb/getPDF?documentID=11800132####&download=false

Change the #### to any four digit number or change the whole number and you will just be able to data mine invoices
Inform a DA councillor.
 

medicnick83

Paramedic
Joined
Aug 23, 2006
Messages
20,456
I also tested a random number and yeah... that is so not lekker.

Very dodgy security!
 

Inertia

Expert Member
Joined
Jan 23, 2005
Messages
1,246
Can someone get hold of Parks Tau's statement? I can then tweet to Helen Zille and the rest of the DA team
 

Beachless

Executive Member
Joined
Oct 6, 2010
Messages
6,003
What can you do with the account number and pin code?
You can see it on the bill.
 
Top