MyBroadband has received information that the City of Joburg was alerted to the security flaw, which exposed their ratepayers’ private information, a week before it was reported on this website.
The City of Joburg was e-mailed about the security flaw on 13 August 2013 by an integration software developer, who asked to remain anonymous. This was a week before the problem was reported on MyBroadband on 20 August 2013.
MyBroadband is in possession of an e-mail sent by the software developer to the City of Joburg on 13 August, where he clearly described the security flaw.
In the e-mail he even suggested a solution to the problem (with an example), and provided an overview of the vulnerability to assist the City of Joburg.
The City of Joburg acknowledged receipt of this e-mail, and said that the “matter has been referred to the relevant department for attention”.
However, the vulnerability was not fixed after this correspondence, and ratepayers’ private information was left exposed until the issue hit the media a week later.
Serious questions can be raised about the City of Joburg’s communication channels. Richard Nene, the City of Joburg’s director of group and services IT division, said on 21 August 2013 that they were not aware of the security flaw.
According to Nene, the security flaw reports helped them to identify the problem and work on protecting their residents’ information.
This means that reporting such a security flaw through the City of Joburg’s regular channels simply did not work.
It further raises questions about the City of Joburg’s decision to open a police case suing an individual for ‘hacking their system’ if they were made aware of the security flaw a week before it was publicly exposed.
MyBroadband asked the City of Joburg what a concerned citizen should do if they discover a security problem with the city’s system, but they did not answer this question.
The City of Joburg also did not answer questions about their decision to open a criminal case for what seems to be poor system design on their side.
Email sent to the City of Joburg on 13 August 2013
Downloading her municipal account for my mother in law, I’m concerned to note that the link (URL) provided on the Account by e-mail – Electronic Account Presentation | Overview Page has no security enabled on it.
This basically means that anyone can use an URL like the following:
And retrieve an invoice without any verification by using a valid-looking invoice number.
This could be prevented by adding some form of session id or (if the architecture makes that difficult) at least adding some extra hash or credential to validate the request.
A description of this kind of vulnerability: