In case you didn’t know, the city of Johannesburg has a new online system with which residents can look over their municipal bills, making it easy to bring up invoices for electricity, water, property taxes and more online. In theory, it makes a rather dull and often obtuse process a lot simpler and more efficient.
However, there’s one con, and it’s a big one: the system’s site lets just about anyone find personal information on just about anyone else.
Johannesburg has more to shore up than its roads
The online system’s security vulnerabilities aren’t obscure backdoors or something along those lines. No, this is something far simpler and easier to exploit.
This system is relatively new, but some Johannesburg residents have probably seen it by now, most likely if they’ve received an SMS from the City of Joburg regarding an invoice or amounts due to be paid. An accompanying link directs recipients to the City of Joburg’s new online system, where they’re presented with a number of options.
From the system’s dashboard, users can view their invoices in a browser, pay their dues and download, email, or simply view relevant municipal documents. These documents contain, alongside invoices and balances and the like, droves of sensitive personal information, such as one’s full name and initials, the market value of their property, their address and more.
This is where the security woes begin. To start with, the site isn’t HTTPS-encrypted, which is definitely an oversight but pales compared to its other big issue.
The door’s unlocked, come on in
See, Johannesburg residents don’t actually have to login anywhere, they just have to click the link they were sent, or head over to the site and type in their account number to access their information. There’s no authentication to speak of.
This means that if someone were to somehow get your account number, they’d be able to access all of this without much trouble. Now, realistically, the chances of someone randomly seeing your specific account number are pretty low. But that doesn’t mean prying eyes can’t get into your account anyway. See, all one has to do to view another account is to go back over to where they input their own number and bump it up or down by one, which will cycle them over to the previous or next person’s account. Yikes.
What’s worse is that writing a program to scan through and collect data from the City of Joburg domain en masse is relatively easy for someone with that kind of know-how.
It’s a shockingly obvious vulnerability that puts some pretty sensitive information at risk. The domain is reportedly down at the moment, which could mean that these issues are currently being worked on. Fingers crossed. Knowing Johannesburg, that could take a while.
Source: My Broadband