Openserve system had a security flaw which exposed broadband customer information

Hanno Labuschagne

Journalist
Staff member
Joined
Sep 2, 2019
Messages
2,485
Openserve system had a security flaw which exposed broadband customer information

The Openserve Uniweb system contained a security vulnerability which potentially exposed broadband subscriber information to Internet service providers who were not supposed to see it.

Openserve is the wholesale and networks division of Telkom. It operates the company's wholesale landline copper and fibre infrastructure.

As part of its wholesale offering to Internet service providers (ISPs), it provides a portal to track support services.
 

r00igev@@r

Executive Member
Joined
Dec 14, 2009
Messages
7,408
That site was build around the time we went camping and were still able to see dinosaurs roaming the veld. :ROFL:
 

rvZA

Executive Member
Joined
Jan 3, 2021
Messages
5,520
Personal identifiable information cannot be protected. No matter what security is used. That is the reality. POPI and GDPR will never change this. These laws will simply fine all companies out of existence and leave millions globally unemployed.
 

Anthro

Expert Member
Joined
Jun 13, 2006
Messages
3,190
I wonder if we can start taking on Telkom ISP for their unecncrypted port 25 only mailservers soon ?
 

RonSwanson

Executive Member
Joined
May 21, 2018
Messages
7,089
Does not sound right. What happened there?
617cd320294101362c53005056a9545d
 

cavedog

Honorary Master
Joined
Oct 19, 2007
Messages
19,303
I'm very disappointed in the ISP that reported this.

1st of all Uniweb is not accessible to anyone without valid login details. To get login details you need to have an Openserve wholesale account and to create sub logins you need to provide proof that you are employed by the wholesale account holder.

This tool was crucial to determine the whether the Openserve line is in the holding pool and what speed it is before the new ISP takes ownership of the line.
 

RonSwanson

Executive Member
Joined
May 21, 2018
Messages
7,089
I'm very disappointed in the ISP that reported this.

1st of all Uniweb is not accessible to anyone without valid login details. To get login details you need to have an Openserve wholesale account and to create sub logins you need to provide proof that you are employed by the wholesale account holder.

This tool was crucial to determine the whether the Openserve line is in the holding pool and what speed it is before the new ISP takes ownership of the line.
Tool may be crucial, but it appears that there isn't any RBAC on these accounts, and that merely changing an identifier in the (sequential!) URL, unauthorized info could be accessed. This is sloppy programming at best.

According to the ISP exec, any Openserve reseller with credentials to log into Uniweb online portal can simply change the reference number of a fault report in their browser’s URL bar and view the fault, even if it’s not their client.

These reference numbers are always sequential, making them easy to guess, the executive said.
 

cavedog

Honorary Master
Joined
Oct 19, 2007
Messages
19,303
Tool may be crucial, but it appears that there isn't any RBAC on these accounts, and that merely changing an identifier in the (sequential!) URL, unauthorized info could be accessed. This is sloppy programming at best.

I'm pretty sure the director is on this forum so I hope he reads this. Very swak move!

I used to help people out by logging faults for them where their ISP failed them now this is all gone. It is what it is I guess.
 

ActivateD

Expert Member
Joined
Jun 7, 2004
Messages
1,596
IDOR common these days in many web apps. I wonder if they have done a web app review on that system.
 

rvZA

Executive Member
Joined
Jan 3, 2021
Messages
5,520
One needs to be careful when reporting security flaws of this nature in the People's Republic of South Africa. The last person who did had criminal charges laid against him.

Okay, I read up on what happened. Back then in 2013 there was only one single law in the ECT Act that says you cannot access any data electronically without permission. If he went and changed the URL, he accessed data without authorization and found himself on the wrong side of the law.

If he copied any of the data to a PC or made a screenshot, the upcoming POPI act will also make this a crime as the processing of the data was unauthorized and illegal. He would here face a 10 year imprisonment sentence and/or R10m fine per record.

And, oh, the upcoming Cybercrimes bill also prohibits accessing of data without authorization, but the difference here is with the upcoming Cybercrimes bill he could face 25 years in jail.

People should be careful when accessing information or reporting on it any way.

The purpose of POPI and all these other laws is NOT to protect your information or privacy. It is there to protect criminal actions of corrupt government officials.
 

Crumbl0x

Senior Member
Joined
Mar 18, 2020
Messages
834
Personal identifiable information cannot be protected. No matter what security is used. That is the reality. POPI and GDPR will never change this. These laws will simply fine all companies out of existence and leave millions globally unemployed.
Sounds like you don't understand how the GDPR works.

Can't speak for POPI as I still need to do research, but this and others acts aren't meant to protect against leaks and ensure secured information. This is mostly an actuality with high chances of occuring. It's simply to inform users what data a company wants to collect, what to use it for, who it gets shared to, and if one opts in, how to view and delete this information.

The fines are more than justified to mega conglomerates that abuse our information mostly without consent and then allow these harsh leaks to happen when it could've been minimised outside the bear necessities. It will not cause the mass millions of job losses, instead, will teach the world how to better respect privacy and secure their stuff.

I've read on some people here who start ventures outside these jurisdictions to escape the laws and fines, and this is quite suspect as they're more than likely announcing how user information is abused in these companies and don't want to take the brunt of responsibility until the America's and whatnot start signing their own acts like in California.
 

Crumbl0x

Senior Member
Joined
Mar 18, 2020
Messages
834
Okay, I read up on what happened. Back then in 2013 there was only one single law in the ECT Act that says you cannot access any data electronically without permission. If he went and changed the URL, he accessed data without authorization and found himself on the wrong side of the law.

If he copied any of the data to a PC or made a screenshot, the upcoming POPI act will also make this a crime as the processing of the data was unauthorized and illegal. He would here face a 10 year imprisonment sentence and/or R10m fine per record.

And, oh, the upcoming Cybercrimes bill also prohibits accessing of data without authorization, but the difference here is with the upcoming Cybercrimes bill he could face 25 years in jail.

People should be careful when accessing information or reporting on it any way.

The purpose of POPI and all these other laws is NOT to protect your information or privacy. It is there to protect criminal actions of corrupt government officials.
yeah I've heard about these too, I'll definitely be reading more on POPI and Cybercrimes Bill as this isn't the same story as the aforementioned
 

Little Mac

Honorary Master
Joined
Jul 18, 2008
Messages
53,472
This exact thing was possible on Supersonic's portal some time back. MTN client data exposed.
 
Top