Monthly Archives: September 2016

Some details on the eThekwini Municipality vulnerability

Here are some extra details on what happened yesterday.

Here is the MyBroadband article for context.

Timeline

At 12pm 7 September a colleague of mine received the email from eThekwini, and told me the password was in plain text.

Presumably they were staging emails because at at 4:31pm 7 September I received the same email. The password was in plain-text, and was my actual password, not a newly generated one.
This means they were either storing the passwords in plain-text, or encrypting them and storing that – both of which are obviously bad, because if they can decrypt it, chances are so can someone else.

Continue reading