Despite claims by the City of Joburg (CoJ) that the issue surrounding exposed bills being easily accessed on its website was as a result of a “malicious hack”, the man who brought the issue to light explains that the discovery of the security flaw was far from it.
On Tuesday (20 August) BidorBuy CTO, Gerd Naschenweng revealed to MyBroadband that the City of Joburg online system exposes customer statements – including account numbers and PIN codes – to anyone with an Internet connection.
After the matter was exposed by a MyBroadband report and picked up by other media, CoJ took the website down.
Speaking on Radio 702, the City of Joburg’s Abraham Mahlangu said that the city has opened a police case to investigate how its online billing system was “maliciously hacked”.
Mahlangu said further that a CoJ website user was behind the hack, and after accessing the system “went on to look for access to other accounts”.
However, the man who discovered the security flaw, BidorBuy CTO Gerd Naschenweng explained that there was no malicious intent in bringing the issue to light.
The real story
Speaking to MyBroadband, Naschenweng explained that he discovered the CoJ billing system problem at 11h00 on Tuesday 20 August 2013.
“I wanted to print my Joburg statement, and when I clicked on the link to view the statement, I noticed the URL parameter being the same as my invoice number,” said Naschenweng.
“I then incremented my number by 1 to see what will happen, and was surprised to see that some other person’s statement was displayed.”
He said he then tested the same link in another browser where he was not logged in, and he could still view someone else’s statement.
Naschenweng said he became concerned about this security vulnerability, and phoned the COJ call-centre and asked the agent to connect him with IT or anyone who is responsible for the website.
However, Naschenweng said he was told by the agent that they could not connect him. “I then asked to speak to a supervisor as the agent could not comprehend the urgency of the problem and the call-centre agent refused and put the phone down,” he said.
“I then submitted an email to COJ, but I did not expect an urgent response.”
After he failed to raise the alarm directly with the COJ, Naschenweng highlighted the problem on the MyBroadband forums.
According to Naschenweng, he is unhappy about the CoJ’s allegations that a malicious attack was to blame for the online billing security woes.
“The CoJ is now attempting to discredit my honest attempt as a concerned citizen to assist in resolving one of their data-leakage issues, and by the sounds of it are now pursuing criminal charges against this,” said Naschenweng.
“This is quite shocking as one would have expected more transparency instead of a witch-hunt, but I am completely open to challenge COJ if their accusations are directed at me.”
By the time of publishing, the CoJ online system was still offline, after taking the site down for a second time on Wednesday (21 August) as the security hole persisted.
The company behind the Ekurhuleni Metropolitan Municipality’s billing system – which was exposed to a similar security vulnerability – patched its system to ensure unauthorised viewing of invoices is not possible.