KwaZulu-Natal's eThekwini municipality e-services website is hackable with residents’ personal information such as ID numbers and other data being exposed with just the change of a web address, according to an expert.
Local software developer, Taylor Gibb, has said that by simply changing a part of the web URL on the eThekwini website, full details on users can be seen. Gibb outlines this in a blog post that he wrote and posted on Thursday.
Gibb told Fin24 that it was a trivial task for someone who knew "a thing or two about computers".
“The first problem I noticed is that they emailed all users their usernames and passwords, which meant they are storing our data in plain text,” Gibb from Durban said.
“This prompted me to investigate further. What I found was shocking. By changing a single portion of the URL, you are able to see full details for any other registered user on the system. You can see their email, ID number, deceased status, gender, account number and cellphone number,” he added.
“The government has an obligation to protect our data, and I have an obligation to alert you that your data is not safe,” he said.
“In a matter of minutes, someone could have all their information at their fingertips. The code to dump their entire database, which contains everyone’s personal information would be less than 10 lines of code,” Gibb added.
Fin24 approached eThekwini officials for comment but the municipality did not immediately respond.
Instead, the municipality told Gibb on Twitter: "We are looking into this. Sorry about that."
The municipality just after 13:40 on Thursday then said on Twitter that it was moving to take the website offline to beef up its security.
Fin24 - http://www.fin24.com/Tech/News/ethekwini-municipality-website-leaks-user-data-expert-20160908
Local software developer, Taylor Gibb, has said that by simply changing a part of the web URL on the eThekwini website, full details on users can be seen. Gibb outlines this in a blog post that he wrote and posted on Thursday.
Gibb told Fin24 that it was a trivial task for someone who knew "a thing or two about computers".
“The first problem I noticed is that they emailed all users their usernames and passwords, which meant they are storing our data in plain text,” Gibb from Durban said.
“This prompted me to investigate further. What I found was shocking. By changing a single portion of the URL, you are able to see full details for any other registered user on the system. You can see their email, ID number, deceased status, gender, account number and cellphone number,” he added.
“The government has an obligation to protect our data, and I have an obligation to alert you that your data is not safe,” he said.
“In a matter of minutes, someone could have all their information at their fingertips. The code to dump their entire database, which contains everyone’s personal information would be less than 10 lines of code,” Gibb added.
Fin24 approached eThekwini officials for comment but the municipality did not immediately respond.
Instead, the municipality told Gibb on Twitter: "We are looking into this. Sorry about that."
The municipality just after 13:40 on Thursday then said on Twitter that it was moving to take the website offline to beef up its security.
Fin24 - http://www.fin24.com/Tech/News/ethekwini-municipality-website-leaks-user-data-expert-20160908