The Openserve Uniweb system contained a security vulnerability which potentially exposed broadband subscriber information to Internet service providers who were not supposed to see it.
Openserve is the wholesale and networks division of Telkom. It operates the company’s wholesale landline copper and fibre infrastructure.
As part of its wholesale offering to Internet service providers (ISPs), it provides a portal to track support services.
Its Openserve Uniweb system contains information about broadband subscribers who have reported faults on their lines.
MyBroadband received information from a concerned Internet service provider (ISP) executive who stumbled upon a security vulnerability in Uniweb.
According to the ISP exec, any Openserve reseller with credentials to log into Uniweb online portal can simply change the reference number of a fault report in their browser’s URL bar and view the fault, even if it’s not their client.
These reference numbers are always sequential, making them easy to guess, the executive said.
“You can view the full history on each circuit which potentially contains cellphone numbers, names, addresses, and other personal information,” he said.
“I assume this is a very old Telkom system and this has issues concerning the Protection of Personal Information Act (POPI).”
The ISP said that they tried to report the vulnerability to Telkom directly, but received no response.
“This is worth bringing to people’s attention as trying to log this via Telkom support failed miserably,” he said.
MyBroadband contacted Telkom for comment on the security flaw in its Uniweb portal, but the company did not respond by the time of publication.
The Uniweb site has, however, been taken down for maintenance. This may be to fix the security problem.