Residents of the eThekwini Municipality were recently informed that its website was upgraded, only for more technically-minded citizens to discover that their private data was being exposed.
Software developer Matt Cavanagh first posted about the security flaws on Twitter yesterday.
According to Cavanagh, it seemed as though the municipality’s website was storing user passwords in plain text and e-mailing it to them, which in itself was a major security concern.
Upon further investigation, it was discovered that it was possible for anyone to view the account information of any registered eThekwini resident.
The owner of DevEnterprise Software, Werner van Deventer, told MyBroadband that the details of 98,330 residents were exposed online and could be viewed by anyone if they had the link.
Data exposed included passwords, full names, addresses, and ID numbers.
Though none of the security researchers could confirm it, it may even have been possible to alter people’s account details.
Screenshots illustrating the security flaw are included below.
No action until public shaming
Cavanagh, van Deventer, and other security researchers contacted the municipality to warn it of the issue, but received no feedback.
Only after software engineer Taylor Gibb posted about it on his blog and it was spread on Twitter did the municipality react.
The website has since been taken offline, and the municipality has apologised for the leak.
Van Deventer said he was trying to figure out a way to disclose the vulnerability with SensePost CTO Dominic White without giving people with malicious intent a chance to extract the data.
“Not many people realised the underlying request also contains the password,” Van Deventer said.
“I also highlighted to them that you can generate bills for anyone without being logged in, until a few minutes ago that was still live.”
@BruceCGordon @cathjenkin We are looking into this. Sorry about that.
— eThekwini Muni (@eThekwiniM) September 8, 2016
@taybgibb @BruceCGordon @cathjenkin Thanks Taylor, we have sent your blog post and tweets to Head of IT for immediate action. Thanks Cath.
— eThekwini Muni (@eThekwiniM) September 8, 2016
#eServices We are adding the required security to the site, and in the interim will take it offline, until we update the security.
— eThekwini Muni (@eThekwiniM) September 8, 2016
More security news
All you need to hack a locked Windows or Mac PC is a R700 device
The South African government departments exposed in the Brazzers porn forum hack
Loading ...
Join the conversation Autoload comments
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.