Webafrica was recently alerted to a security flaw in its online ticket monitoring system, and it has now fixed the issue.
A MyBroadband reader reported the issue to Webafrica last week and contacted MyBroadband about the potential risk to information posed by the vulnerability.
This issue was exclusive to Webafrica’s customer zone, where customers of the ISP can monitor the progress of their support tickets and report any issues with their connection.
When accessing Webafrica’s ticket support system and viewing support tickets, customers are directed to the following URL:
In this URL, *TicketID* refers to a unique series of characters pointing to the customer’s specific ticket number.
The customer who contacted MyBroadband discovered that the Ticket ID field in the URL could be changed to view the support tickets filed by other customers.
This allowed customers to access conversations between other Webafrica users and the company’s support staff.
However, unless an attacker knew the exact ticked ID for a customer, they would only be able to randomly access support tickets by changing characters in the ticket ID field.
MyBroadband spoke to Webafrica about the problem, which they said has been fixed.
No credentials compromised
“Webafrica was recently made aware of a bug in our customer zone which allowed certain customers to view random support correspondence of other customers through manipulating ticket IDs in the URL, Webafrica CTO Alan Kirton told MyBroadband.
Kirton added that Webafrica immediately patched the bug as soon as it was brought to the attention of the company.
“The information that was exposed was not linked to any billing to service credentials,” he said.
Upon reviewing the system, Webafrica found that the only exploit of this vulnerability was by the client who reported it and that no other activity was flagged.
“We would like to thank the customer who disclosed this to us and take this opportunity to assure our customers protection of their information is our top priority,” Kirton said.