Another e-billing security flaw

Mogale City residents have been able to view one another’s electronic bills on the hosted repository management system (RMS) that the municipality uses.
A spokesperson for Bidvest Data told MyBroadband that it owns and operates the ebillrms.co.za domain where the RMS is hosted.
Similar to the vulnerability on the City of Joburg (CoJ) e-Services portal, bills could be requested by entering a document number in the URL bar of a browser. These document numbers were sequential, making it very easy to guess them.
Unlike the CoJ vulnerability, bills are only visible to users logged into the RMS, and according to the information MyBroadband received, very little personal information is shown on the bills themselves.
However, it was demonstrated to MyBroadband that finding valid login credentials for the Mogale City RMS is fairly easy.
This stems from the municipality’s decision to use a resident’s account number as their default username and password.
The Mogale City website urges users to change their password after they log in for the first time, but users aren’t forced to do so by the RMS.
When contacted about the potential security problem, the Bidvest Group company behind E-bill RMS thanked MyBroadband and the vulnerability researcher for bringing it to their attention.
Although they could not provide specific feedback on the situation, it was apparent that Mogale City’s instance on the RMS platform had been placed in maintenance mode within minutes of the problem being reported. This prevented users from signing in until the issue could be addressed.
At the time of writing, Mogale City’s e-bill system was still in maintenance mode.
Mogale City not the only ebillrms.co.za customer
A quick Google search revealed that Mogale City wasn’t the only organisation with an RMS hosted at ebillrms.co.za.
Among the companies listed as having systems hosted on the site are Siemens AG, ArcelorMittal, Media24, and MTN.
This raises the question: are their repositories affected by the same vulnerability as Mogale City’s?
The answer appears to be “no”, though a spokesperson from Bidvest Data was not able to answer questions about individual customers.
“The system is designed to provide a unique and tailor-made offering to every one of our customers based on their specific needs regarding their security levels,” the Bidvest Data said.
“We are instructed by our customers on the level of security and access that they require and can unfortunately not comment on an individual customer as we are bound by a confidentiality agreement,” the spokesperson said.
Bidvest said that it has notified Mogale City about the security flaw and is in the process of suggesting suitable changes.
Mogale City was contacted for comment about the vulnerability, but did not respond by the time of publication.
More SA security news
E-toll security hole: don’t shoot the messenger
Website security flaws in SA – shooting the messenger
E-toll website flaw a cyber-attack: Sanral
Big Cell C security flaw uncovered
My Vodacom security flaw exposes subscriber details
Thanks to Wilhelm for reporting the vulnerability