Here are some extra details on what happened yesterday.
Here is the MyBroadband article for context.
At 12pm 7 September a colleague of mine received the email from eThekwini, and told me the password was in plain text.
Presumably they were staging emails because at at 4:31pm 7 September I received the same email. The password was in plain-text, and was my actual password, not a newly generated one.
This means they were either storing the passwords in plain-text, or encrypting them and storing that – both of which are obviously bad, because if they can decrypt it, chances are so can someone else.
20 minutes later I tweeted the image.
— Matt Cavanagh (@RogueCode) September 7, 2016
Immediately after tweeting I logged in, saw the obvious issue with viewing other peoples data, and emailed them to let them know that there was a problem – I did not tweet about this.
Werner Van Deventer emailed them at the same time (note that the 5:50pm tweet that @matthewsavides refers to is the one at 4:50PM linked above).
— Werner van Deventer (@brutaldev) September 8, 2016
Werner emailed someone directly at eThekwini, along with CC’ing their public address, with lots of detail.
Sent: 07 September 2016 04:55 PM
To: [NAME REMOVED]
Subject: eServices security disaster
Hi [NAME REMOVED],
I got your email address from a customer survey email sent a while back. This new site has serious security problems that were not difficult to identify.
Today I got an email with my account password in plain text, this clearly means you are not hashing or securing passwords in your database. I am unable to change my password to something more secure so this is left exposed.
The site does not use SSL, so all logins and activity is exposed over the network in plain text for anyone to intercept.
You have an account enumeration exploit on your forgot password page, so it’s easy to find out registered email addresses.
You can request anyone’s bill with an account number and date, without being logged in!
Not my bill for example: http://eservices.durban.gov.za/v2/Report/GenerateBill?accountNumber=xxxxxxxx&billDate=2016-06-11
Getting account numbers and other personal information (ID numbers, phone numbers, email addresses) is not difficult either since you can view and edit anyone’s details by changing the customer ID in the URL. This is extremely serious as you are exposing sensitive information about customers including their account number to access their municipal bills.
http://eservices.durban.gov.za/v2/Profile/Index2?customerId=177531&agentId=0 – [NAME REMOVED]
http://eservices.durban.gov.za/v2/Profile/Index2?customerId=177532&agentId=0 – [NAME REMOVED]
http://eservices.durban.gov.za/v2/Profile/Index2?customerId=177533&agentId=0 – [NAME REMOVED]
It appears as though you are also able to edit this information quite easily which could completely corrupt your database and prevent people from getting their bills. Anyone can register for an eServices account and perform these exploits.
I strongly suggest switching off this site and fixing the problems as you are exposing people’s personal information including my own.
He received a response at 8:01 AM the following day.
Date: Thu, Sep 8, 2016 at 8:01 AM
Subject: RE: eServices security disaster
I have forwarded your email to the relevant team, to look at the issues you mentioned below.
(Back to the 7th)
Right after emailing them, I contacted Jan Vermeulen from MyBroadband about it. We agreed that I’d give them some time to reply, and then if they didn’t respond to me he would get the MyBB media team to contact them and give them 48 hours before publishing anything publically.
At around 11PM 7 September, Werner DM’d them on twitter urging them to take the site down. He then DM’d them again at about 11AM 8 September, 3 hours after the reply from [NAME REMOVED] above.
Werner also attempted a call to their call center on the morning of the 8th but was not able to get through – presumably they were handling lots of calls about the new system in general.
At around 12PM the next day (8 September), Taylor Gibb posted a blog post about it
eThekwini has failed us. https://t.co/CF3Y9RPd9b
— Taylor Gibb (@taybgibb) September 8, 2016
At 1:14PM eThekwini replied on Twitter
— eThekwini Muni (@eThekwiniM) September 8, 2016
An hour later, around 2 PM they took the site down, and it is still down as of right now.
Around the same time MyBroadband published their article (obviously the 48 hour responsible disclosure no longer applied at this stage).
The URL to a particular profile is:
[When the site was up] a person needed to be logged into the site to access the page. However, once logged in you could change that customerId to anything and view their profile.
I wish it was the first time I had seen something this bad in production.
While viewing someone else’s account it looked like you could access as much as you could on your own profile. This included residential addresses, ID number, cell and phone numbers, email address, and yes, password.
You could also access bills for any user, even without being logged in. Not only that, but Werner was able to access bills for hours after the site was “taken offline”.
Werner confirmed that you could edit someone else’s details, since the ID of the user was stored in a hidden field and POST’ed to the server, instead of using the ID of the actual logged in user.
This is a screenshot of me viewing someone else’s account.
The ID’s were incremental, and went up to just over 300,000. @brutaldev confirmed that of those, around 98,000 were tied to real customers.
As of right now it is safe to assume that that entire dataset has been scraped by at least one [but probably multiple] person with ill-intent.
Also, as of right now, eThekwini has not notified anyone that their personal detail have been compromised.Taylor and Cath received an email from eThekwini about a possible breach, but neither Werner, my colleague, or myself have received it.
This is a pretty big problem, and it totally irresponsible. Besides personal details, many people use their same password in multiple places (shame on you!).
This is the email they sent out
Date: Thu, Sep 8, 2016 at 8:34 PM
Subject: PUBLIC NOTICE TO ALL ETHEKWINI MUNICIPALITY ESERVICES USERS
To: [NAME REMOVED]
The password I had tied to my account was a crazy bad one that I can only assume I put in never intending to the use the account (which I didn’t – I only knew I had an account when I got the email).
Anyway, go make sure you didn’t use the same password twice!
— Werner van Deventer (@brutaldev) September 9, 2016