Ster-Kinekor’s old website, which was replaced in 2016, had a security flaw which leaked the private data of as many as 6.7 million users.
South African software developer Matt Cavanagh, who goes by RogueCode, discovered the vulnerability and alerted Ster-Kinekor to it.
Following the guidelines of responsible disclosure, Cavanagh gave Ster-Kinekor time to fix the issue before publicly disclosing it.
In a presentation at DevConf today, Cavanagh revealed that the vulnerability allowed anyone to get the profile details of users in Ster-Kinekor’s system.
Details included names, addresses, phone numbers, and plain text passwords.
“This wasn’t a hard thing to find at all… it was just pure negligence,” said Cavanagh.
“Not only did the API hand off details to anyone, they were also storing passwords in their database in plain text, and returning those to the client.”
Website fixed with migration to Vista
When Cavanagh reported the issue, Ster-Kinekor was in the midst of migrating its back-end point-of-sale system to a new platform called Vista.
Switching to the new system effectively fixed the issue, which is why he can talk about it now, said Cavanagh.
Cavanagh said the IDs in the database went up to about 6.7 million. However, there were some deleted accounts included in that number.
Although he doesn’t know if anyone pulled the data, Cavanagh said the worst should be assumed.
“I would say it is safe to assume that someone dodgy has your data,” he said.
“If you’ve used your [Ster-Kinekor] password anywhere else, stop reading this and go change it to something unique right now.”
The full details on how he found the vulnerability are available on his blog.
Ster-Kinekor responded to Cavanagh’s disclosure, stating it has been assured that customers’ data has not been appropriated for less-than-noble intentions.
When Cavanagh contacted the company about the website vulnerability last year, it was in the process of migrating to its new online system.
“Since being made aware of this state of affairs by Mr. Cavanagh, no further breaches have been detected,” said Ster-Kinekor.
“Ster-Kinekor was assured that our customers had not been exposed to ongoing harm and that their data had remained safe.”
The company said its new multi-million-rand world-class system offers all customers “the surety of knowing that the company takes the responsibility of ensuring the security of their personal information extremely seriously”.