In recent months four security flaws were uncovered in four prominent South African websites. How each organisation handled the news clearly illustrates the difference in attitude towards security and the understanding of IT systems.
The four security flaws discovered within the websites of the City of Joburg, Vodacom, Cell C, and Sanral were all similar, exposing the private information of their clients.
The website vulnerabilities were further comparable as it did not take significant technical knowledge to exploit these vulnerabilities.
Internet users who report these security flaws help companies to secure their websites and stop criminals from exploiting these security flaws.
It is noteworthy that most people who reported the security flaws wanted the vulnerabilities to be fixed to protect both these affected organisations and their clients.
City of Joburg
In August 2013 a security vulnerability was discovered in the City of Joburg’s (CoJ) online e-statements system which exposed residents’ and business’ personal details.
After this vulnerability hit the media, the City of Joburg shut down its e-statements system, and said that they regarded the breach of their system as a criminal act.
The city also opened a criminal case against “a suspected perpetrator” after a “thorough forensic investigation by the city and its private IT experts”.
What is perplexing is that the City of Joburg must have been aware that the alleged “hacker” tried to alert the city to the security flaw, but this attempt failed because of the city’s poor systems. He then went public with the information.
To date the City of Joburg has not answered questions or explained why it would open a police case against a person who was trying to help them to fix their security flaw.
Sanral e-toll portal
In January 2014 a hacker identifying themselves as “Moe1” published an unofficial security advisory warning e-toll users that the PINs used to log into their E-toll website accounts can be easily obtained if their username is known.
This is due to a page on the South African National Roads Agency Limited (Sanral) website which can be exploited to expose the PIN of any registered E-toll website user.
Sanral followed the City of Joburg’s strategy, and called the security flaw a “cyber-attack”.
“Sanral strongly condemns the cyber-attack on the online e-toll account management website,” said Sanral’s general manager of communications, Vusi Mona.
“Some people may not like e-tolls but launching an attack on law abiding citizens, just because they registered an e-toll account, is appalling,” Mona said.
It is not clear why Mona would equate highlighting a security flaw to a “cyber-attack” and “launching an attack on law abiding citizens”.
In late December 2013 it emerged that a security flaw in the “My Vodacom” online portal exposed Vodacom subscribers’ personal details, including account balances, package details, service providers, average monthly spend, the phone used, PUK and PIN details.
The flaw allowed a Vodacom subscriber who is logged into the My Vodacom online portal to enter any Vodacom number and find personal details linked to this number.
Vodacom was alerted about the security flaw on the afternoon of 26 December and the company launched a “complete investigation”.
Vodacom reported back to MyBroadband on the same day that the flaw was identified, and a patch was developed overnight.
The patch was tested successfully on the morning of the 27 December and was deployed into production by midday on the same day. Overall it took less than 24 hours to find and rectify the problem.
Vodacom thanked the person who reported this security flaw for bringing this to their attention.
In January 2014 information emerged that a security flaw with Cell C’s online portal – aka My Cell C – allowed anyone with an internet connection to view personal information about many of Cell C’s subscribers.
Using a mobile number and a generic password, a wide range of personal information could be accessed through the portal, including account details, banking details, numbers called, PIN and PUK numbers and payment history.
MyBroadband alerted Cell C to the security flaw on 2 January 2014, and within 24 hours a patch was developed, tested and deployed and the issue is now fully resolved.
Cell C thanked the person who highlighted the security flaw and MyBroadband for bringing it to their attention.