City of Johannesburg Leaks Personal Bills Online, Threatens Flaw Finder

← Back to Stories (view on slashdot.org)

City of Johannesburg Leaks Personal Bills Online, Threatens Flaw Finder

Posted by samzenpus on Thursday August 22, 2013 @09:32PM from the no-good-deed dept.

An anonymous reader writes "A major security hole in the City of Johannesburg's online billing system has meant that customer invoices have been visible on the open web with a bit of simple parameter phishing. Change a digit in the URL for your bill, and someone else's appears. Including major corporations like the roads agency, SANRAL (which is R55 000 in arrears, apparently). Neighboring Ekhuruleni had a similar problem too. Both problems were discovered by regular visitors at a local IT forum, and it's interesting to compare the two cities reactions. Ekhuruleni quietly and quickly fixed the problem, while Joburg has threatened legal action against the user — who tried to raise the issue with the city IT team several times before going public. Legal experts say there's a potential case for a class action."

46 comments

Min score:

Reason:

Sort:

attention-seeking by Joining+Yet+Again · 2013-08-22 21:38 · Score: 2

I've never understood why people non-anonymously go public with security flaws, except for personal gain. "Yeah I'm that guy, give me credz/a job... BUT I DID IT ALTRUISTICALLY!"
Either post directly under an alias, or - better - release to the IT or even general press.
1. Re:attention-seeking by Anonymous Coward · 2013-08-22 21:42 · Score: 1
  
  Because they are stupid and seriously think that they will be received better if they attach a name. That's completely wrong. It just gives people, or in this case, a municipal government, a direction to sling shit in. It's kind of like how if you disagree with APK while logged in, he'll follow you around for months and spam every post you make, except it has real consequences.
2. Re:attention-seeking by Chatsubo · 2013-08-22 21:59 · Score: 5, Insightful
  
  Years ago I stumbled a hideous flaw in a clients website after being asked to retrieve a file from it: Directory listings turned on and folders filled with customer accounts, details, histories, etc.
  Luckily I had read enough Slashdot to understand I shouldn't just bang an email out to them explaining that I'd just perused thousands of customer files by simply chopping the filename off. No, instead I reported to my superiors and warned them to let the CEO himself "gently" suggest this little oversight to the other company and keep my name out of it. So it was, and nothing nefarious came of it.
  As IT pro's we must understand that what sounds trivial to us sounds like (car analogy ahead) this to a customer:
  "Oh hey, that lock on your garage is useless, I mean I picked it in like 5 seconds. Then I unlocked your car too, and started it, and drove it around the block. Just wanted to let you know you should be more careful".
  It is not like that, but it sounds like that. S'all I'm sayin.
  
  --
  > no, yes, maybe (tagging beta)
3. Re:attention-seeking by Anonymous Coward · 2013-08-22 22:03 · Score: 0
  
  It's kind of like how if you disagree with APK while logged in, he'll follow you around for months and spam every post you make
  Crap, look what you've done! You're ruining my good name! He's gonna spam me now!
4. Re:attention-seeking by Anonymous Coward · 2013-08-22 22:22 · Score: 0
  
  But if you privately discover a flaw, then you cannot use that method since there are no superiors to contact.
  Well, if you're religious you can try to pray to god that he gives those people the insight to fix this ...
5. Re:attention-seeking by Narcocide · 2013-08-22 22:54 · Score: 3, Funny
  
  No, don't ever do that. God will only punish you for pointing out the flaws in his plan.
6. Re:attention-seeking by Chatsubo · 2013-08-22 23:08 · Score: 1
  
  There are no bugs, just undocumented features.
  
  --
  > no, yes, maybe (tagging beta)
7. Re:attention-seeking by TapeCutter · 2013-08-22 23:25 · Score: 2
  
  Rubbish. George Burns admitted the pips in avocadoes were way too big, and that he thought 15 was "close enough" to middle aged when he created Adam and Eve.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
8. Re:attention-seeking by crashcy · 2013-08-23 00:07 · Score: 1
  
  This is very well put. I think the hardest thing I've had to learn working in IT is not how to write code or troubleshoot software, but how to talk to non-IT people. When I first arrived at my current job, I saw many opportunities to improve things, and excitedly suggested a dozen projects. All people would hear though was that I thought they were bad at there jobs, the only reason they could see that I could be talking about improving how they do things. I'm still working on that aspect.
9. Re:attention-seeking by duke_cheetah2003 · 2013-08-23 00:25 · Score: 1
  
  You forgot to capitalize His.
10. Re:attention-seeking by Anonymous Coward · 2013-08-23 00:36 · Score: 1
  
  You forgot to capitalize His.
  Capitalize his what?
  Don't you mean her's?
11. Re:attention-seeking by Anonymous Coward · 2013-08-23 00:53 · Score: 0
  
  They can sling shit all they want. If they follow through, I will be investigated. My first step will be to lay criminal charges against the CIO for faking/lying about being hacked. And Ive got a bigger and more expensive legal defense than they will be able to get.
12. Re:attention-seeking by VortexCortex · 2013-08-23 01:04 · Score: 1
  
  Middle age was apt for the Middle ages... Other ages need not apply, some assembly required, your parents code it together.
13. Re:attention-seeking by interval1066 · 2013-08-23 01:41 · Score: 1
  
  Your looking at it wrong; these clowns are a public entity, and worse, they encourage you to use a flawed publicly available service that they provide. The guy told them about the flaw serveral times which they ignored, endangering the public and screwing up the trust. These guys are WRONG anyway you clide it, and pointing to the bell ringer as the problem is really bad.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
14. Re:attention-seeking by CimmerianX · 2013-08-23 02:24 · Score: 1
  
  Sounds like he tried to do this the right way, by contacting the cities several times. I'm sure he's getting sued for vindictive reasons, more like, "How dare he embarrass the city by exposing our security flaws, in the hopes that would pressure us to fix them after we did nothing from repeated warnings.... how DARE he???"
15. Re:attention-seeking by Nyder · 2013-08-23 03:34 · Score: 1
  
  I've never understood why people non-anonymously go public with security flaws, except for personal gain. "Yeah I'm that guy, give me credz/a job... BUT I DID IT ALTRUISTICALLY!"
  Either post directly under an alias, or - better - release to the IT or even general press.
  Let say you banked at bank that had this flaw. You tell them it has this flaw, they ignore you. You tell them again, they ignore you. You tell them again, they ignore you. YOu tell them again, they ignore you.
  So besides moving to a new bank, what do you do? You let everyone know that they have a flaw and need to fix it. It's called public shaming and has been used since the beginning of man.
  
  --
  Be seeing you...
16. Re:attention-seeking by mcgrew · 2013-08-23 04:41 · Score: 0
  
  All people would hear though was that I thought they were bad at there jobs, the only reason they could see that I could be talking about improving how they do things.
  Well, maybe you should have said something in person rather than using email, because you come across as very uneducated. I mean uneducated as in "dropped out of the ninth grade." Nobody is going to take you seriously if you don't know the difference between there and their, which you should have learned by the third grade.
  In fact, that made me doubt you're even in IT and suspect you're still in middle school.
  
  --
  Free Martian Whores!
17. Re:attention-seeking by Anonymous Coward · 2013-08-23 05:16 · Score: 0
  
  You should consider taking a close look at your life and why you are so angry and quick to insult people.
  Someone made a typo so you insinuate that they dropped out of high school? This is a web forum and I imagine that the poster simply did not proof read their post. An insult is unnecessary and serves only to vent your anger, anger which really should not have resulted from the post in question.
  Honest question, do you think your post contributed value to the discussion or the person your replied to? If not, why post it?
18. Re:attention-seeking by fahrbot-bot · 2013-08-23 07:24 · Score: 1
  
  No, don't ever do that. God will only punish you for pointing out the flaws in his plan.
  Too true. From what I've read and personally experienced, God can be kind of a dick at times.
  
  --
  It must have been something you assimilated. . . .
How times have changed by Quick+Reply · 2013-08-22 21:47 · Score: 1

5 years ago it would be considered a "Hacking" crime to bring to light such a trivial adjustment to the way you access a website by changing it's URL in a small way, but now it is grounds for class action against the operator for actual lax security.
1. Re:How times have changed by Anonymous Coward · 2013-08-22 21:58 · Score: 1
  
  I'm quite sure you are referring to a situation in a different country...! Seen this behavior the most with Americans, who always insist on their sovereignty in the world, but never acknowledge that laws work differently once you step across the border.
2. Re:How times have changed by Anonymous Coward · 2013-08-22 22:35 · Score: 0
  
  5 years ago? I'm pretty sure a pretty infamous guy was jailed for several years for something pretty identical only a few months ago?
Why? They think they're helping. by Anonymous Coward · 2013-08-22 21:49 · Score: 5, Insightful

They think that the people who run this are people like them, reasonable people.
But these people are run for local government. If you think national government is filled with a cancerous collection of social misfits only out for their own egos, you've seen NOTHING compared to local government.
What these people thought was the same as someone who sees some money drop out of someone's bag or pocket, picks it up and then taps the person on the shoulder to say "Here, you dropped this". They thought they'd get "Thanks for that". What they GOT was "HOW DARE YOU STEAL MY MONEY!!!!!".
Because a person in charge is fucking crazy and everyone else is too scared to gainsay them because they're fucking crazy.
1. Re:Why? They think they're helping. by Joining+Yet+Again · 2013-08-22 22:25 · Score: 3, Insightful
  
  Eh companies go for lawsuits too when people dare to uncover their incompetence - sometimes push for criminal charges. But this is the Internet and everything seems to end up being Government vs Corporation even though they're really the same thing.
2. Re:Why? They think they're helping. by Joining+Yet+Again · 2013-08-22 22:26 · Score: 3, Insightful
  
  Mind you, I'm not saying you're wrong - I suppose all powerful humans are a cancerous collection only out for their own egos. Otherwise they wouldn't even care for power.
3. Re:Why? They think they're helping. by TapeCutter · 2013-08-22 23:18 · Score: 3, Insightful
  
  I suppose all powerful humans are a cancerous collection only out for their own egos.
  It's worse than you think. We are all somebody else's idea of a cancer on society..
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
4. Re:Why? They think they're helping. by somersault · 2013-08-22 23:26 · Score: 3, Funny
  
  Not sure if enlightening, or depressing .__.
  
  --
  which is totally what she said
5. Re:Why? They think they're helping. by fahrbot-bot · 2013-08-23 07:20 · Score: 1
  
  Not sure if enlightening, or depressing .__.
  Many things can be both, simultaneously - sigh.
  
  --
  It must have been something you assimilated. . . .
Sueing out of incompetence? by Errol+backfiring · 2013-08-22 22:05 · Score: 3, Insightful

This sounds like a "let's sue the user before anyone sues us" tactic. Johannesburg has effectively been publishing sensitive data, which should violate privacy laws. If anyone should be brought to court, it is Johannesburg itself.

--
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
1. Re:Sueing out of incompetence? by Anonymous Coward · 2013-08-22 22:51 · Score: 0
  
  Sounds like they're suing him not so much for simply discovering the exploit, but for using this exploit to get the account of an unpopular company and sending the information to a newspaper.
  On the other hand, it should be SANRAL who does the suing, but they'd more likely sue the city who left the account in the open (kaching) than spend money they don't have in attacking some random individual. So Jo'burg shifts the blame by taking legal action before anyone else can.
  OK, I changed my mind and agree with you. Nice username, by the way (Guards Guards!).
2. Re:Sueing out of incompetence? by AmiMoJo · 2013-08-22 23:04 · Score: 1
  
  Rather than admit they were idiots who didn't implement basic security the staff prefer to say they were hacked and are victims of some criminal genius. Everyone knows that no security system can stop an elite hacker. How many movies open with some nerd breaking into the Pentagon's computer system?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Sueing out of incompetence? by Anonymous Coward · 2013-08-22 23:15 · Score: 0
  
  Maybe that's the way it should be, but the attorney I used for my child custody case was a former I.T. employee who went to law school. He also handles criminal matters and in one case was defending an elder lady accoused of hacking who barely had enough knowledge to use the internet. In our conversations, he argued that even changing a get parameter is hacking under the laws. I countered with so a mistyped URL can be hacking and he said yup, but obviously he'd argue differently if he was defending the person. Common sense has no place in the law (except in West Virginia where the law says common sense trumps the law).
4. Re:Sueing out of incompetence? by inasity_rules · 2013-08-23 00:46 · Score: 1
  
  SANRAL should be Suing?!!!
  For some context, SANRAL misappropriated a pension fund. A won lawsuit against the city of Joburg would just result in an increase of rates and we'd still have to pay E-tolls on top of that. The city of Joburg may be incompetent in the extreme, but SANRAL is just pure evil.
  
  --
  I have determined that my sig is indeterminate.
5. Re:Sueing out of incompetence? by Anonymous Coward · 2013-08-23 03:31 · Score: 0
  
  SANRAL should be Suing?!!!
  Yes. They may be criminal scum*, but you know what they say about the defense of liberty. You need to defend the worst of the worst, or else it opens the way to eroding our freedoms. Unless this was their court-ordered punishment for the misappropriation of a pension fund, yes, they should sue, and probably should win.
  
  *I don't actually know if this is true, it is just my rephrasing of how you described them.
6. Re:Sueing out of incompetence? by Anonymous Coward · 2013-08-23 03:53 · Score: 0
  
  Fer fucks sake learn to use punctuation and quotes properly. I had to read that 4 times to understand it.
7. Re:Sueing out of incompetence? by inasity_rules · 2013-08-23 03:55 · Score: 1
  
  Problem is, if they sue or not, the people lose...
  
  --
  I have determined that my sig is indeterminate.
Gimme Hope Jo'anna by Chrisq · 2013-08-22 22:14 · Score: 2

Gimme Hope Jo'anna - where is the shining light of Freedom in Africa now?
Feedback from the guy that found the flaw by KruiserX · 2013-08-22 22:55 · Score: 5, Informative

http://mybroadband.co.za/vb/showthread.php/553957-City-of-Joburg-security-issue-everyone-can-see-all-customers-statements?p=11014501&viewfull=1#post11014501
"Hi all, I have yet to get contacted by CoJ or anyone else responsible/concerned about my initiative to help close the data-leak. As far as I am concerned I have not done anything illegal and have not been charged or accused of having conducted anything illegal. The CoJ certainly makes it out that the customer invoices were accessed in an sophisticated and malicious hack. I did elaborate this to the press and while all of you understand exactly what happened it is still astounding that CoJ attempts to bury the real story instead of taking accountability for what actually happened. Although this incident is presented as an attack, Google managed to index the tax-invoices dating back to February 2013 and all information circulating in the press (such as the mentioned SANRAL tax invoice) have been publicly available via a simple Google search, prior to my discovery on 20th August 2013. The CoJ claims of a hack are simply rubbish and any person with an internet connection would have been able to view the same information. There is ZERO IT-skill required to change an invoice number in a web-address. I am not going to worry about any criminal or civil charges and a team of lawyers is ready to deal with those should that situation arise. It is quite shocking to see how the media reported on this issue despite having had many witness accounts and solid evidence at hand. In my opinion it should have never gotten to the point that this situation is now all over the news, had the CoJ acted responsibly and shown accountability and prompt resolve. I think MyBroadband has managed to capture the actual events very accurately and I appreciate all the support, PM's and phone-calls I have received over the last few days. As a rate- and tax-payer it is our civic duty to ensure that our resources are managed in a responsible way and it is quite an embarrassment that our leaders (which we pay via our taxes) show zero interest in serving their residents - if they did, we would not sit with the number of threads and misinformation currently being pedalled to save face. The newspapers equally act irresponsibly by printing anything being said without having verified actual facts (which are readily available) and as such are not improving the situation. As a CoJ resident I am ashamed to life in a city where their representatives lie and misinform to cover up incompetence and shy away from their own accountability."
1. Re:Feedback from the guy that found the flaw by Inda · 2013-08-23 01:23 · Score: 2
  
  That raises a question in my mind. How did Google find them? Surely it doesn't increment numbers in a query string?
  
  Either they were hyperlinked on CoJ's website, or someone else already 'hacked' the website and has linked the invoices from elsewhere.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
2. Re:Feedback from the guy that found the flaw by munch117 · 2013-08-24 02:33 · Score: 1
  
  You think Google only finds URL's using crawlers? All it takes is a single mention somewhere in a google docs document, or in an email sent or received by gmail. Or something on the page itself, like google analytics, ads by google, or maybe a reference to a google-hosted Javascript or image file, or a link to a google-hosted page, anything with a referrer.
Yup. by Anonymous Coward · 2013-08-23 00:07 · Score: 0

Yup, all (to any practical measure of it) powerful people become enamoured of the power. Small government *are worse* than central government in this case, mostly because the remit of the power is more immediate and they're less likely to have to (or be able to) delegate to a deep structure of flunkies. When you have an army of flunkies, it's the power over people you exercise. When it's power over some real external realities (i.e. parks and recreation management or councillor) then it's power over things you're "responsible for" that is required.
This is the same for corporations. Middle/senior management will want power over people. The technical prima donna will want power over the activity they work on.
So local government are much more likely to sue if you show them up like this. Police officers, the same. The CEO will want you to dance to his tune. The prima donna wants you to be humiliated.
Doing a Joburg by Skapare · 2013-08-23 01:52 · Score: 1

The next city or government utility provider doing this, it will be referred to as "doing a Joburg" or "did a Joburg" (that is, thinking that merely having a login makes a site secure).

--
now we need to go OSS in diesel cars
Other companies have had this happen, even in IT by compwizrd · 2013-08-23 02:50 · Score: 1

Lenovo Canada had the same problem last year or so. I fired off an email to the right people, we emailed back and forth a few times, they didn't think there was a problem and couldn't reproduce, I finally setup a test case step by step to pull up someone's invoice, and they fixed it after.
They offered me a free case or battery or laptop accessory as thanks, I never bothered taking them up on it.
I was actually trying to lookup my own invoice from a laptop order I had made... their invoicing system is an utter mess as each component you buy gets separately invoiced as it ships, and I had bought a laptop as a guest or similar.. I knew my invoice number, just not the specific details.. I noticed the url given in the order email had the invoice number in it, and changing the invoice number to the other order gave my invoice.. and then tried a different number and learned that so-and-so had a mouse shipped to their address, etc.
They haven't fixed the invoicing system yet.. I'd much rather be billed for everything at once when it goes to manufacturing, or when it all ships.. Right now you have to go through each line on the order and match it up to the invoice they've sent... calculating the tax and shipping costs for each one.
publicly accessible with no authentication by Anonymous Coward · 2013-08-23 02:51 · Score: 0

Just a note for all those and the article writer, the pages were publicly available without any credentials. Thus you did not need to log in and then manipulate the URL to see other people's statements, rather you just typed in a URL and poof, there was someone's bill. In fact they have been indexed by Google since Feb this year.
Could the writer please update the article to reflect the above points, this was no phishing or any other malicious attack, it was just a straight public set of URLs that should have been secured, but weren't. You can't expect a poster on a public wall not to be viewed by the public, same principle applies.
CoJ has actually open a criminal case by Anonymous Coward · 2013-08-26 08:07 · Score: 0

http://mybroadband.co.za/news/general/85285-city-of-joburg-opens-criminal-case-against-hacking.html
The City of Joburg has opened a criminal case at the Hillbrow police station after a forensic investigation with its IT partner apparently showed that its online system was hacked.
It laid the charge at the Hillbrow police station in Johannesburg, said spokesman Gabu Tugwana. The police could not confirm whether a case had been opened.
“Criminal acts of this nature will not go unpunished and the city intends to send out a strong message that a deliberate and malicious breach of this nature will not be tolerated,” said Tugwana.
He declined to reveal the hacker’s identity, but said they were not a member of the city’s staff.
“We would like to reassure all residents that the necessary legal and technical steps are being taken to prevent similar incidents in future.
“Our residents’ confidential information is safe and secure,” Tugwana said.........