Joburg billing leak not a hack: whistle blower

F

froot

Honorary Master
Joined
Jun 2, 2009
Messages
11,347
Lol.

All that happened was this:

To open a statement, ie www.123.co.za/statements/fetch.php?id=0123456 you need to be logged in. That worked fine.

However, it did not check that you are user 0123456 before allowing you to fetch statement 0123456. That's where their bug came in. It's a bug, not a hack.
 
Sinbad

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
81,193
froot said:
Lol.

All that happened was this:

To open a statement, ie www.123.co.za/statements/fetch.php?id=0123456 you need to be logged in. That worked fine.

However, it did not check that you are user 0123456 before allowing you to fetch statement 0123456. That's where their bug came in. It's a bug, not a hack.
Click to expand...

You did not need to be logged in.
The location that held the pdfs was completely unsecured.

Best analogy I can think of:
You go to a council office. You ask to see your statement. They check your id and details and tell you "ok, your statement is in the building across the road, on the fourth floor, on table 27.
The building across the road has no entry control, no guards, and everybody's statements laid out on tables, not even in envelopes. Anyone can walk in off the street and look at anyone's statement because they're all laid out for the world to see.

No hack here at all.
 
F

froot

Honorary Master
Joined
Jun 2, 2009
Messages
11,347
Sinbad said:
You did not need to be logged in.
The location that held the pdfs was completely unsecured.

Best analogy I can think of:
You go to a council office. You ask to see your statement. They check your id and details and tell you "ok, your statement is in the building across the road, on the fourth floor, on table 27.
The building across the road has no entry control, no guards, and everybody's statements laid out on tables, not even in envelopes. Anyone can walk in off the street and look at anyone's statement because they're all laid out for the world to see.

No hack here at all.
Click to expand...

I tried it that day, wouldn't let me view it if I hadn't logged in beforehand, and this was before they took it down.
 
Sinbad

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
81,193
I have never logged into eservices from my phone. I have 5 pdfs on my phone that say you are mistaken ;)
 
DJ...

DJ...

Banned
Joined
Jan 24, 2007
Messages
70,287
froot said:
I tried it that day, wouldn't let me view it if I hadn't logged in beforehand, and this was before they took it down.
Click to expand...

I'm not a CoJ customer and have never visited their website, let alone logged in. I too had full access to all statements. There was no login required whatsoever...
 
Budza

Budza

Executive Member
Joined
Oct 14, 2008
Messages
8,621
So, now we know who he is.

I thought he wanted to remain anonymous?
 
ISP cash cow

ISP cash cow

Executive Member
Joined
Feb 10, 2011
Messages
6,371
Budza said:
So, now we know who he is.

I thought he wanted to remain anonymous?
Click to expand...

He did but unfortunately the witchhunt from CoJ has brought about him having to defend himself.

Also Kudos to My broadband for writing an article about the truth of the matter. Nice one RPM!!
 
N

nfbs

Expert Member
Joined
Jul 15, 2008
Messages
3,296
Changing source code is a hack. Changing the URL is not a hack.

BTW does that site use SSL?
 
R

RichardG

Honorary Master
Joined
Apr 6, 2005
Messages
11,697
gregmcc said:
You are assuming they know what to do with said IP
Click to expand...

A long auditing trial will be on the tables(At our expense). Just imagine sending out so many search warrants out, was quite surprised that it was freely accessible to everyone.
 
rorz0r

rorz0r

Executive Member
Joined
Feb 10, 2006
Messages
7,968
7 years later I notice the exact same vulnerability with another municipality that recently switched systems/providers. Is there a recommended way to report these things or is it not worth bothering (TIA)?
 
You must log in or register to reply here.
Top