eThekwini Municipality leaked private details of almost 100,000 residents
Residents of the eThekwini Municipality were recently informed that its website was upgraded, only for more technically-minded citizens to discover that their private data was being exposed.
Software developer Matt Cavanagh first posted about the security flaws on Twitter yesterday.
According to Cavanagh, it seemed as though the municipality’s website was storing user passwords in plain text and e-mailing it to them, which in itself was a major security concern.
Upon further investigation, it was discovered that it was possible for anyone to view the account information of any registered eThekwini resident.
The owner of DevEnterprise Software, Werner van Deventer, told MyBroadband that the details of 98,330 residents were exposed online and could be viewed by anyone if they had the link.
Data exposed included passwords, full names, addresses, and ID numbers.
Though none of the security researchers could confirm it, it may even have been possible to alter people’s account details.
Screenshots illustrating the security flaw are included below.
No action until public shaming
Cavanagh, van Deventer, and other security researchers contacted the municipality to warn it of the issue, but received no feedback.
Only after software engineer Taylor Gibb posted about it on his blog and it was spread on Twitter did the municipality react.
The website has since been taken offline, and the municipality has apologised for the leak.
Van Deventer said he was trying to figure out a way to disclose the vulnerability with SensePost CTO Dominic White without giving people with malicious intent a chance to extract the data.
“Not many people realised the underlying request also contains the password,” Van Deventer said.
“I also highlighted to them that you can generate bills for anyone without being logged in, until a few minutes ago that was still live.”
We are looking into this. Sorry about that.
— eThekwini Municipality (@eThekwiniM) September 8, 2016
Thanks Taylor, we have sent your blog post and tweets to Head of IT for immediate action. Thanks Cath.
— eThekwini Municipality (@eThekwiniM) September 8, 2016
#eServices We are adding the required security to the site, and in the interim will take it offline, until we update the security.
— eThekwini Municipality (@eThekwiniM) September 8, 2016
More security news
All you need to hack a locked Windows or Mac PC is a R700 device
The South African government departments exposed in the Brazzers porn forum hack
How to hide everything you do on the Internet