The security flaw which exposed the private information of City of Joburg and Ekurhuleni Municipality client invoices is more widespread than these two municipalities.
What is of even more concern is the fact that the flaw is nothing new.
The latest security vulnerabilities which exposed private information reported to MyBroadband included the Merafong Municipality and the Ghana visa application system.
In the case of Merafong Municipality, incrementing the invoice number made it possible for residents logged in to the system to view other resident’s invoices.
The Merafong IT department was contacted about the vulnerability, and the concerned citizen said he was thanked for reporting the problem. The municipality is investigating the issue.
The Merafong IT department confirmed that they have been notified about the problem. They passed this information onto their service provider who is working to resolve the problem.
A well-known independent security research company also showed this week that the online visa application system for Ghana had the same security flaw.
Anyone logged in to the visa system can simply change the number in the URL to view another person’s application. This application contained a range of private information associated with a visa application.
Innobiz Holdings, the company behind the Ghana online visa application system, was alerted about the problem.
The company thanked MyBroadband for bringing it to their attention, and said it will investigate the vulnerability with their security partner.
Well known security vulnerability
MyBroadband spoke to a security analyst about the problem, and he said that people can expect this problem to pop up again and again.
In fact, this vulnerability is so widespread that it is currently listed as number 4 in the Open Web Application Security Project’s (OWASP’s) Top 10 security problems with web applications and web services.
The security flaw, called “Insecure Direct Object References”, occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.
“Without an access control check or other protection, attackers can manipulate these references to access unauthorized data,” the OWASP website states.
In simple terms it means that an attacker, who is an authorized system user, simply changes a parameter value (like a number in a URL) that directly refers a system object to another object the user isn’t authorized for.
In the case of the City of Joburg the vulnerability was even worse because an attacker did not even have to be logged in to view unauthorised files.
According to the security analyst, this security flaw in a web system points to a lack of knowledge about online security, sloppy design, and a poor security evaluation of a system.
He said that a proper evaluation of the system by a qualified security analyst before launch will pick up these problems and assist to create more secure systems.
The OWASP report also states that the vulnerability is easy to detect, raising the question why it slipped through with high profile systems in South Africa.
The City of Joburg could not immediately comment on the security vulnerability.