Security flaw in electricity, water utility website
Impact Meter Services, a water and electricity billing provider that is widely used in the Tshwane municipal area, unintentionally let its clients view one another’s invoices on its website.
This kind of security flaw has occurred regularly in the online portals of various organisations, including City of Joburg and Vodacom.
A document containing personal information such as an invoice is requested from a website using a sequential numeric identifier, making it easy to get someone else’s document from the site.
For example, an Impact customer who is logged into the site might retrieve their latest invoice with the following URL: http://amps.co.za/Secure/ViewPdf.aspx?id=42000
While logged in, they can change the URL to id=1, id=2, or id=9001 to retrieve someone else’s invoice.
Fortunately these invoices contained minimal personal information: full names, address of the house being billed for water and electricity consumption, billing address (if different), and amounts owed.
Impact Meters was contacted about the flaw and a developer responded in under 24 hours to say they were working on a fix.
Just over a week later, the company responded to say that the security flaw had been patched, and thanked the person who reported the issue.
More SA information security news
Critical security bug gets SA sites, hosts scrambling
E-toll website security flaws galore
E-toll security hole: don’t shoot the messenger
Website security flaws in SA – shooting the messenger