On Tuesday (20 August 2013) BidorBuy CTO Gerd Naschenweng reported a security problem with the City of Joburg’s online billing system. The events before and after his report of the problem raises concerns about the city’s online security and the municipal processes.
A timeline of events shows when the security vulnerability was discovered, what Naschenweng tried to do when he discovered the problem, and what happened in the aftermath of the media reports.
11:00 on Tuesday 20 August 2013
Naschenweng discovered the COJ billing system problem which exposes Joburg residents’ invoices containing private information, including names, addresses, account numbers, PIN codes, and financial details.
Shortly after 11:00 on Tuesday 20 August 2013
Naschenweng phoned the COJ call-centre, but he was told that he could not be connected to IT or anyone who is responsible for the website.
“I then asked to speak to a supervisor as the agent could not comprehend the urgency of the problem and the call-centre agent refused and put the phone down. I then submitted an e-mail to COJ, but I did not expect an urgent response,” he said.
11:35 on Tuesday 20 August 2013
Naschenweng, under the username MagicDude4Eva, posted his concerns on the MyBroadband forum (discussion here: City of Joburg – security issue – everyone can see all customers statements). MyBroadband members quickly validated his concerns, and MyBroadband’s news team was alerted to the problem. Members also pointed out that Google had started to index the publicly available invoices.
13:35 on Tuesday 20 August 2013
MyBroadband publishes the news article titled “Massive security flaw exposes Joburg residents’ private info” after investigating the security problem; other media outlets pick up on the story.
MyBroadband faced the same challenges that Naschenweng faced in reaching people to report this problem and getting feedback from the COJ. The number provided by the COJ to address the issue delivered an engaged tone every time it was called over a 24 hour period.
15:35 on Tuesday 20 August 2013
The DNS of the domain which serves the publicly available invoices – cojestatements.co.za – is taken down. The invoices, however, remain publicly available using an IP address instead of the domain name.
Around 22:00 on Tuesday 20 August 2013
Users start reporting that the full cojestatements.co.za website is taken down (not only its DNS), which means that the private invoices were no longer publicly available.
19:30 on Wednesday 21 August 2013
MyBroadband discovered that the invoices are once again publicly available while investigating the problem for a follow-on article. The article “City of Joburg exposes private information again” is published at around 20:00.
Around 20:00 on Wednesday 21 August 2013
The online statements website is taken down again, which means that the private invoices were no longer publicly available.
13:00 on Thursday 22 August 2013
At the time of publication Google still displayed the invoices which it indexed before the site was taken down.
Statements by the City of Joburg
Since the first news article about the City of Joburg’s billing security problem was published on MyBroadband, the media has been abuzz with the news.
South Africa’s most prominent news sources, including Radio 702, News24, and The Times reported the story, and in these reports the COJ made statements which did not go down well with South Africans.
Naschenweng, who discovered the security vulnerability and tried to assist the city to resolve the problem, is also not happy.
Here are some of the statements from the City of Joburg, with comments from consumers and Naschenweng.
The City of Joburg’s (COJ) Abraham Mahlangu told radio 702 that they have opened a police case to investigate how their online billing system was “maliciously hacked”.
Naschenweng responded: “The COJ is now attempting to discredit my honest attempt as a concerned citizen to assist in resolving one of their data-leakage issues, and by the sounds of it are now pursuing criminal charges against this. This is quite shocking as one would have expected more transparency instead of a witch-hunt, but I am completely open to challenge COJ if their accusations are directed at me.”
“Malicious hack? You do not need any hacking experience to uncover or take advantage of this security flaw. Poor security COJ. Take responsibility for it,” said one commentator, Renier.
Other user comments also questioned the COJ’s statements. These include: “They are now blaming their incompetence on malicious hacking”; and “A concerned member of the community tried to inform you of an error in your systems of which you couldn’t give a hoot and you call him a hacker”.
Richard Nene, the City of Joburg’s director of group and services IT division, told The Times that ratepayers’ information had not been compromised by the breach.
Users questioned Nene’s statements, with comments including: “Well, he’s lying. Plain and simple”; and “Excuse me, how come yesterday I downloaded and viewed 5 statement accounts?”.
No feedback from the City of Joburg
MyBroadband asked the City of Joburg whether the fact that ratepayers’ invoices were exposed publicly – containing PINs, names, addresses and financial details – does not constitute a compromise of information.
MyBroadband also asked the CoJ why it would call the security flaw a malicious attack, especially after the person who discovered the security problem tried to report it to the CoJ to help them resolve the problem.
We further asked the city what should be done by anyone who discovers a security problem with their online services, and what they are doing to resolve this problem.
Unfortunately the City did not respond to these questions by the time of publication. MyBroadband also tried to reach a spokesperson telephonically, but the relevant number was not answered.