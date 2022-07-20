The SABC’s TV Licence web portal has a security vulnerability that allows attackers to access people’s accounts without knowing their passwords.

An attacker can see TV Licence holders’ outstanding bills, download an account statement, and view and change any address details on file.

MyBroadband received a tip about the flaw from a reader who discovered it. The amateur security researcher revealed the details of the vulnerability on condition of anonymity.

We immediately notified the SABC about the issue, and it has neither taken down the vulnerable part of the TV Licence website nor discussed arranging a coordinated disclosure.

“The SABC is investigating this matter, as the security of its platforms and protection of its clients’ personal information is of utmost importance,” said the state-owned broadcaster’s Head of Communications, Ndileka Cola.

As the vulnerability was still unpatched at the time of publication, we will not disclose the full details in this article.

Screenshots of the most pertinent details attackers can see and alter are shown below.

This is not the first time security problems have been reported with the SABC’s TV Licence portal.

In 2016, an observant reader noticed that the SABC’s payment gateway provider used an outdated encryption algorithm to secure sensitive credit card information.

At the end of 2020, the broadcaster warned about an ongoing hack of its TV Licence web portal and advised customers not to leave their details on the website until it was resolved.

It announced a day later that the hack was resolved.

South Africa’s struggling state-owned broadcaster has battled to convince the public to pay their TV Licences in recent years.

At the end of March 2019, 69% of TV Licence fees billed had not been paid.

By March 2020, this increased to 76%.

In its annual report for the 2020/21 financial year, the SABC reported a TV Licence fee evasion rate of 82%.

To combat this trend, the broadcaster has proposed that TV licence fees be replaced with a public media levy.

The proposed levy is effectively a tax all households and businesses must pay regardless of whether they watch the SABC’s content or own a TV.

It argues that your household must pay the levy if you can access the SABC’s content, whether on radio, YouTube, or a traditional TV.

In addition, the SABC wants South Africa’s biggest pay-TV player — in this case, MultiChoice — to help collect the levy.

The Organisation Undoing Tax Abuse and MultiChoice support replacing TV licences with a device-independent, technology-neutral household levy.

However, MultiChoice said that the levy collection should not fall to the SABC’s competitors.

Instead, it suggested that the levy could be collected as a tax at the local or national level.

