Critical security flaw exposed Joburg residents’ private info
The City of Joburg’s new online system for viewing municipal bills has a significant flaw that exposed the personal information of its municipal customers.
In 2013, MyBroadband reported that the predecessor to the new site — cojestatements.co.za — had similar vulnerabilities.
The new site lets City of Joburg customers view electronic invoices on their municipal accounts, including for water, electricity, refuse, and property taxes.
Johannesburg resident and security researcher Simon Stewart contacted MyBroadband after discovering that the site contained several blatant security oversights.
Stewart emphasised he reported the issue so that CoJ could fix it.
He was concerned it had exposed the personal information of Johannesburg residents, violated the Protection of Personal Information Act, and demanded that someone is held accountable for the vulnerabilities.
The vulnerabilities included no authentication process, the apparent ability to access other customers’ accounts, and a lack of encryption to protect from malicious attacks.
Stewart explained that he discovered the site after receiving an SMS from the city on Friday, 15 October.
The message included the amount due on his municipal bill and a URL where he could view his account and make payments, as shown in the image below.
He opened the URL from an isolated device in case it was a malicious link and discovered it led him to an official City of Joburg domain followed by his account number in the URL bar.
The dashboard he was presented with included options to let him view, download, or have his account statement sent to his email address. It also provided an option to make payments on the account.
Notably, he was not required to log in or provide a password at any point before accessing this dashboard.
Selecting “View” opened the statement in a PDF format, which included information like his initials, surname, address, stand number, the market value of his property, his account number, and PIN code for the account.
It also contained the amounts he owed the municipality for electricity, water, sewerage, refuse, and property taxes.
Aside from the lack of authentication, of particular concern was that his account number was visible in plain text in the URL.
Any individual with the site’s domain name and a single person’s account number could theoretically access all of the accounts available on the system by adding or subtracting numbers to it.
It would also be relatively simple to write a script that could increment the counter and mine the information in bulk from all of the accounts.
The image below shows the information available on the electronic invoices, with sensitive details redacted.
Changing the account number to the next in the sequence will take the user to another Johannesburg’s resident’s dashboard, with access to their account statements and details.
In addition to these oversights, the site was not HTTPS-encrypted, which makes it vulnerable to interception by attackers.
We contacted the City of Joburg for comment on the issue.
Although it said it was attending to our query, we had not received feedback on our questions by the time of publication.
However, the affected domain appeared to be down the morning after we reported the issues.
Loading ...