Big revelation in City of Joburg security flaw case

MyBroadband has received information that the City of Joburg was alerted to the security flaw, which exposed their ratepayers’ private information, a week before it was reported on this website.

The City of Joburg was e-mailed about the security flaw on 13 August 2013 by an integration software developer, who asked to remain anonymous. This was a week before the problem was reported on MyBroadband on 20 August 2013.

MyBroadband is in possession of an e-mail sent by the software developer to the City of Joburg on 13 August, where he clearly described the security flaw.

In the e-mail he even suggested a solution to the problem (with an example), and provided an overview of the vulnerability to assist the City of Joburg.

The City of Joburg acknowledged receipt of this e-mail, and said that the “matter has been referred to the relevant department for attention”.

However, the vulnerability was not fixed after this correspondence, and ratepayers’ private information was left exposed until the issue hit the media a week later.

Serious questions can be raised about the City of Joburg’s communication channels. Richard Nene, the City of Joburg’s director of group and services IT division, said on 21 August 2013 that they were not aware of the security flaw.

According to Nene, the security flaw reports helped them to identify the problem and work on protecting their residents’ information.

This means that reporting such a security flaw through the City of Joburg’s regular channels simply did not work.

It further raises questions about the City of Joburg’s decision to open a police case suing an individual for ‘hacking their system’ if they were made aware of the security flaw a week before it was publicly exposed.

MyBroadband asked the City of Joburg what a concerned citizen should do if they discover a security problem with the city’s system, but they did not answer this question.

The City of Joburg also did not answer questions about their decision to open a criminal case for what seems to be poor system design on their side.

Email sent to the City of Joburg on 13 August 2013

Hi,

Downloading her municipal account for my mother in law, I’m concerned to note that the link (URL) provided on the Account by e-mail – Electronic Account Presentation | Overview Page has no security enabled on it.

This basically means that anyone can use an URL like the following:

http://cojestatements.co.za:8080/cojpdfweb/getPDF?documentID=19000XXXXXXX&download=false
http://cojestatements.co.za:8080/cojpdfweb/getPDF?documentID=19000XXXXXXX&download=false

And retrieve an invoice without any verification by using a valid-looking invoice number.

This could be prevented by adding some form of session id or (if the architecture makes that difficult) at least adding some extra hash or credential to validate the request.

Something like:
http://cojestatements.co.za:8080/cojpdfweb/getPDF?documentID=19000XXXXXXX&download=false&HASH=FDAKD3

A description of this kind of vulnerability:
https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
http://cwe.mitre.org/data/definitions/288.html
http://cwe.mitre.org/data/definitions/639.html

More on City of Joburg security flaw

True story behind Joburg’s online security problems

Joburg online billing system maliciously hacked: CoJ

Massive security flaw exposes Joburg residents’ private info

Latest news

Partner Content

Show comments

Recommended

Share this article
Big revelation in City of Joburg security flaw case