The security vulnerability, which led to the City of Joburg (CoJ) residents’ private information to be exposed, has not been fixed, and the invoice system is back online, albeit slightly hidden.
MyBroadband published the article “Massive security flaw exposes Joburg residents’ private info” at 13:35 yesterday. Shortly thereafter, at around 15:35, the cojestatements.co.za site’s DNS was taken down.
However, the invoices were still visible by using the IP address of the domain instead of the domain name. The full site was finally taken down a while later.
The City of Joburg released a statement on Wednesday, saying that they are aware of the security breach on their e-statement services.
“Our technical team has brought the services down to prevent further unauthorized access to consumer accounts,” the CoJ said.
“We are currently investigating the root cause and a permanent solution will be applied. We do apologise for any inconvenience caused.”
Despite this assurance from the CoJ, private invoices once again became freely available.
On Wednesday 21 August at around 19:30, while doing a follow-on article, MyBroadband discovered that the links using IP addresses resolved again. This means the private invoices could be accessed.
The vulnerability, which is now common knowledge, could be exploited by anyone with an Internet connection.