Security8.09.2016

eThekwini Municipality leaked private details of almost 100,000 residents

ethekwini municipality

Residents of the eThekwini Municipality were recently informed that its website was upgraded, only for more technically-minded citizens to discover that their private data was being exposed.

Software developer Matt Cavanagh first posted about the security flaws on Twitter yesterday.

According to Cavanagh, it seemed as though the municipality’s website was storing user passwords in plain text and e-mailing it to them, which in itself was a major security concern.

Upon further investigation, it was discovered that it was possible for anyone to view the account information of any registered eThekwini resident.

The owner of DevEnterprise Software, Werner van Deventer, told MyBroadband that the details of 98,330 residents were exposed online and could be viewed by anyone if they had the link.

Data exposed included passwords, full names, addresses, and ID numbers.

Though none of the security researchers could confirm it, it may even have been possible to alter people’s account details.

Screenshots illustrating the security flaw are included below.

ethekwini-leak

ethekwini-leak-account-details

No action until public shaming

Cavanagh, van Deventer, and other security researchers contacted the municipality to warn it of the issue, but received no feedback.

Only after software engineer Taylor Gibb posted about it on his blog and it was spread on Twitter did the municipality react.

The website has since been taken offline, and the municipality has apologised for the leak.

Van Deventer said he was trying to figure out a way to disclose the vulnerability with SensePost CTO Dominic White without giving people with malicious intent a chance to extract the data.

“Not many people realised the underlying request also contains the password,” Van Deventer said.

“I also highlighted to them that you can generate bills for anyone without being logged in, until a few minutes ago that was still live.”

More security news

All you need to hack a locked Windows or Mac PC is a R700 device

The South African government departments exposed in the Brazzers porn forum hack

How to hide everything you do on the Internet

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter