The online invoicing system on Mweb\u2019s website contained a vulnerability that let users that were logged into the system view another person\u2019s invoices, CEO of Mweb ISP Derek Hershaw has confirmed.<\/p>\n
A reader contacted MyBroadband about the security flaw at 20:00 on Monday, 3 February 2014 and the details of the vulnerability were sent on to Mweb shortly thereafter.<\/p>\n
Hershaw said that the vendor from which they license the system, who he did not name, fixed the issue just after 23:00.<\/p>\n
Similar to the security flaws discovered in the Mogale City and City of Johannesburg e-billing systems, users logged into their Mweb accounts that were viewing a PDF invoice could change the invoice number in the URL bar to view another subscriber\u2019s bill.<\/p>\n
This potentially exposed details such as contact details, Mweb user-names, and billing addresses.<\/p>\n
Hershaw said that the user who reported the flaw was able to see the invoices of other customers, but nothing more than that.<\/p>\n
\u201cHe actually accessed 4 other customers invoices and we will contact them during the course of this morning to explain what happened and apologise,\u201d Hershaw said.<\/p>\n
Another e-billing security flaw<\/strong><\/a><\/p>\n Website security flaws in SA \u2013 shooting the messenger<\/strong><\/a><\/p>\n E-toll website flaw a cyber-attack: Sanral<\/strong><\/a><\/p>\n