City of Johannesburg Leaks Personal Bills Online, Threatens Flaw Finder

An anonymous reader writes "A major security hole in the City of Johannesburg's online billing system has meant that customer invoices have been visible on the open web with a bit of simple parameter phishing. Change a digit in the URL for your bill, and someone else's appears. Including major corporations like the roads agency, SANRAL (which is R55 000 in arrears, apparently). Neighboring Ekhuruleni had a similar problem too. Both problems were discovered by regular visitors at a local IT forum, and it's interesting to compare the two cities reactions. Ekhuruleni quietly and quickly fixed the problem, while Joburg has threatened legal action against the user — who tried to raise the issue with the city IT team several times before going public. Legal experts say there's a potential case for a class action."

Why? They think they're helping.

They think that the people who run this are people like them, reasonable people.

But these people are run for local government. If you think national government is filled with a cancerous collection of social misfits only out for their own egos, you've seen NOTHING compared to local government.

What these people thought was the same as someone who sees some money drop out of someone's bag or pocket, picks it up and then taps the person on the shoulder to say "Here, you dropped this". They thought they'd get "Thanks for that". What they GOT was "HOW DARE YOU STEAL MY MONEY!!!!!".

Because a person in charge is fucking crazy and everyone else is too scared to gainsay them because they're fucking crazy.

Re:Why? They think they're helping.

[Joining+Yet+Again]

Eh companies go for lawsuits too when people dare to uncover their incompetence - sometimes push for criminal charges. But this is the Internet and everything seems to end up being Government vs Corporation even though they're really the same thing.

Re:Why? They think they're helping.

[Joining+Yet+Again]

Mind you, I'm not saying you're wrong - I suppose all powerful humans are a cancerous collection only out for their own egos. Otherwise they wouldn't even care for power.

Re:Why? They think they're helping.

[TapeCutter]

I suppose all powerful humans are a cancerous collection only out for their own egos.

It's worse than you think. We are all somebody else's idea of a cancer on society..

Re:attention-seeking

[Chatsubo]

Years ago I stumbled a hideous flaw in a clients website after being asked to retrieve a file from it: Directory listings turned on and folders filled with customer accounts, details, histories, etc.

Luckily I had read enough Slashdot to understand I shouldn't just bang an email out to them explaining that I'd just perused thousands of customer files by simply chopping the filename off. No, instead I reported to my superiors and warned them to let the CEO himself "gently" suggest this little oversight to the other company and keep my name out of it. So it was, and nothing nefarious came of it.

As IT pro's we must understand that what sounds trivial to us sounds like (car analogy ahead) this to a customer:
"Oh hey, that lock on your garage is useless, I mean I picked it in like 5 seconds. Then I unlocked your car too, and started it, and drove it around the block. Just wanted to let you know you should be more careful".

It is not like that, but it sounds like that. S'all I'm sayin.

Sueing out of incompetence?

[Errol+backfiring]

This sounds like a "let's sue the user before anyone sues us" tactic. Johannesburg has effectively been publishing sensitive data, which should violate privacy laws. If anyone should be brought to court, it is Johannesburg itself.