A security expert recently contacted MyBroadband to report a vulnerability in Webafrica’s systems due to an incorrectly configured GitLab server.
This user said a configuration problem allows public users to access administrator access information for various servers and services.
The person reporting the problem said he had also contacted Webafrica regarding the issue.
After he sent through this information, MyBroadband reached out to Webafrica to confirm the extent of the vulnerability.
This follows a recent report which saw an issue in Webafrica’s online ticket support system that allowed registered users to access the tickets of other customers.
Webafrica told MyBroadband that the GitLab vulnerability did exist but has been fixed.
“Although Webafrica has experienced two security scares in as many weeks, we would like to assure our customers that none of their data has been exposed in either breach and that we have patched both issues,” said Webafrica.
“In the first instance, a customer was able to view another customer’s email support ticket by changing ticket IDs to ones that didn’t belong to his account,” he said.
“We have patched this and would like to stress that no customer data was exposed such as user names, passwords or billing information – and this was an isolated event with no other recorded breaches.”
The GitLab server vulnerability was also patched as soon as Webafrica was alerted to the problem.
“Again, no customer data was exposed as this is protected behind a firewall.”
“We have since communicated with the individual who was helpful in providing assistance in tightening up our processes.”
Webafrica told MyBroadband that these issues were the result of the complex migration of Webafrica.
“The underlying reasons for both events were oversights made during the complex migration of Webafrica from 1-Grid, the hosting business we sold in December 2017, with the physical infrastructure migration carried out in 2018.”
“Although the breaches led to no important data leaks, we acknowledge that they should not have been possible in the first place.”
Webafrica said it has been running internal vulnerability scans all week and engaging with an external party to perform a full vulnerability assessment and penetration tests.
Webafrica also plans to launch a bug bounty program in 2019 with a formal submission and review test.
“We would like to thank the people involved in both instances for bringing the flaws to our attention and cooperating with us in order for us to resolve the issues.”