MWEB website security flaw

The online invoicing system on Mweb’s website contained a vulnerability that let users that were logged into the system view another person’s invoices, CEO of Mweb ISP Derek Hershaw has confirmed.

A reader contacted MyBroadband about the security flaw at 20:00 on Monday, 3 February 2014 and the details of the vulnerability were sent on to Mweb shortly thereafter.

Hershaw said that the vendor from which they license the system, who he did not name, fixed the issue just after 23:00.

Similar to the security flaws discovered in the Mogale City and City of Johannesburg e-billing systems, users logged into their Mweb accounts that were viewing a PDF invoice could change the invoice number in the URL bar to view another subscriber’s bill.

This potentially exposed details such as contact details, Mweb user-names, and billing addresses.

Hershaw said that the user who reported the flaw was able to see the invoices of other customers, but nothing more than that.

“He actually accessed 4 other customers invoices and we will contact them during the course of this morning to explain what happened and apologise,” Hershaw said.

More SA website security news

Another e-billing security flaw

Website security flaws in SA – shooting the messenger

E-toll website flaw a cyber-attack: Sanral

Big Cell C security flaw uncovered

My Vodacom security flaw exposes subscriber details

Don't miss the latest news

• Add MyBroadband as a preferred source in Google Search
• Follow MyBroadband on Google News