Rain has fixed a security flaw in its website that allowed subscribers, who were logged into their online profiles, to view the invoices of other clients.
A MyBroadband reader discovered the flaw after Rain emailed a notice to subscribers who had not set a spend limit on their accounts. The company was encouraging its customers to set a spend limit to avoid bill shock.
While visiting their Rain dashboard, the subscriber noticed there was an area to download their monthly invoices.
Upon clicking on it, they noticed that something was amiss, as the URL of the page to download the invoice was in the form “https://www.rain.co.za/view-invoice?number=76543210”.
The number in the URL matched the invoice number. By guessing another valid invoice number, you could access someone else’s invoice.
Downloaded invoices contained the name and address of the subscriber, along with the product they were being billed for that month.
“We acknowledge the issue that allowed a logged-on customer to speculatively view invoices of other customers,” Rain told MyBroadband.
“This was due to a bug in the middleware software which has now been resolved.”
Rain said that it has an internal security team and performs regular tests on its systems, in line with best practices.
“Rain takes the security of our clients’ data extremely seriously. The moment we become aware of any breach and/or bug in this regard, we immediately act to solve the problem,” the company said.
For security-related concerns, Rain said that members of the public can send an email to [email protected]